In this post I'll walk through the simple process of changing your configuration to go from Encrypted Passwords to Hashed passwords and a bit of detail as to "why" you want to make the change.
Why Hashed Instead of Encrypted?
This is a pretty common question that I get from people and the short, simple answer is with regards to how the passwords can be used. If you have Encrypted passwords, it is possible to retrieve the users current password and e-mail it to them. It is equally as easy for any custom module to read the passwords of user accounts with a simple API call.
Hashing the passwords uses a forward-only method to store the passwords in a secure pattern, and when users login the same hashing process is used to validate the password, rather than decrypting the password and comparing it. Additionally when hashed password resets from the core will send users a new password, which helps to reduce the risk exposed by sending passwords via e-mail in that at least you are not potentially giving away a users "common" password.
Where Is This Configured?
The configuration of the Membership system is done in the web.config, and a default DotNetNuke configuration section looks like this.
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SiteSqlServer"
enablePasswordRetrieval="true"
enablePasswordReset="true" r
requiresQuestionAndAnswer="false"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
requiresUniqueEmail="false"
passwordFormat="Encrypted"
applicationName="DotNetNuke" />
The property we are concerned with is the "passwordFormat" field as well as the "enablePasswordRetrieval" property. We need to be concerned with both, as it isn't possible to 'retreive' your password when they are hashed, so failing to change both properties will result in errors.
How/When to Make the Change
Now, on the surface this looks like a really simple change, update two values, and we are done, right? Well it isn't quite so easy as there are a number of things you need to look at, so I'll discuss the actual change and situations to consider.
The Change
For all scenarios the changes are the same, enablePasswordRetrieval should be set to false and passwordFormat should be set to "Hashed". As with any change of this nature, be sure to take a full site and database backup, just in case it doesn't workout as planned.
New Installs - Before Installation
When working with a new install, if you make the changes noted above BEFORE you run the install wizard, you will have a portal setup from the beginning with the proper configuration. This way is the most preferred as it is simple, quick, and doesn't expose you to any risks at all. Once the portal is installed, simply use as you would normally.
New Installs - Limited User Base
If you have a newer installation but don't yet have a large number of users on the system you can still make the change, your existing users will be able to login to the portal, but their passwords will forever be in the "Encrypted" state. (Per my testing). Once you make the change, it is recommended that you create "different" users for each of these user accounts, which will keep all users secure, and all users with the same password format. You can simply delete the old user accounts.
Now, as you can imagine this is not an ideal situation, so doing it before you install is the best option overall
Existing Installs - Large User Base
This conversion requires a lot more effort to change and coordinate. I have written a module that does this, but am working through issues on DNN 5.5.x and later where it isn't working as it should. Regardless, a more manual process is needed to temporarily decrypt the passwords, then one-by-one reset the user passwords back to the same thing, just hashed this time around.
Conclusion
I hope that you find this helpful. Keeping user information secure is a very important task, and this is just one way that we can help keep things secure.
Reasons why you must trust ASPHostPortal.com
Every provider will tell you how they treat their support, uptime, expertise, guarantees, etc., are. Take a close look. What they’re really offering you is nothing close to what ASPHostPortal does. You will be treated with respect and provided the courtesy and service you would expect from a world-class web hosting business.
You’ll have highly trained, skilled professional technical support people ready, willing, and wanting to help you 24 hours a day. Your web hosting account servers are monitored from three monitoring points, with two alert points, every minute, 24 hours a day, 7 days a week, 365 days a year. The followings are the list of other added- benefits you can find when hosting with us:
- DELL Hardware
Dell hardware is engineered to keep critical enterprise applications running around the clock with clustered solutions fully tested and certified by Dell and other leading operating system and application providers.
- Recovery Systems
Recovery becomes easy and seamless with our fully managed backup services. We monitor your server to ensure your data is properly backed up and recoverable so when the time comes, you can easily repair or recover your data.
- Control Panel
We provide one of the most comprehensive customer control panels available. Providing maximum control and ease of use, our Control Panel serves as the central management point for your ASPHostPortal account. You’ll use a flexible, powerful hosting control panel that will give you direct control over your web hosting account. Our control panel and systems configuration is fully automated and this means your settings are configured automatically and instantly.
- Excellent Expertise in Technology
The reason we can provide you with a great amount of power, flexibility, and simplicity at such a discounted price is due to incredible efficiencies within our business. We have not just been providing hosting for many clients for years, we have also been researching, developing, and innovating every aspect of our operations, systems, procedures, strategy, management, and teams. Our operations are based on a continual improvement program where we review thousands of systems, operational and management metrics in real-time, to fine-tune every aspect of our operation and activities. We continually train and retrain all people in our teams. We provide all people in our teams with the time, space, and inspiration to research, understand, and explore the Internet in search of greater knowledge. We do this while providing you with the best hosting services for the lowest possible price.
- Data Center
ASPHostPortal modular Tier-3 data center was specifically designed to be a world-class web hosting facility totally dedicated to uncompromised performance and security
- Monitoring Services
From the moment your server is connected to our network it is monitored for connectivity, disk, memory and CPU utilization – as well as hardware failures. Our engineers are alerted to potential issues before they become critical.
- Network
ASPHostPortal has architected its network like no other hosting company. Every facet of our network infrastructure scales to gigabit speeds with no single point of failure.
- Security
Network security and the security of your server are ASPHostPortal’s top priorities. Our security team is constantly monitoring the entire network for unusual or suspicious behavior so that when it is detected we can address the issue before our network or your server is affected.
- Support Services
Engineers staff our data center 24 hours a day, 7 days a week, 365 days a year to manage the network infrastructure and oversee top-of-the-line servers that host our clients’ critical sites and services.