Learn DNN / DotNetNuke

You need to Register for free and Login to post a message in the forum.

Forum

Forums
Search Forum
Advanced SearchTopicsPosts

Forums > DotNetNuke® > DotNetNuke® Questions

web.config & passwordFormat

Last Post 07/11/2011 11:09 AM by Joseph Craig. 1 Replies.

Sort:

Check this box to subscribe to this topic.	Prev Next
You are not authorized to post a reply.

Author

Messages

mgordon

Nuke Master
Posts:208

07/11/2011 10:25 AM
Hi, I'm modifying the web.config to take into consideration security hardening of the website per Mitchel Sellers posting about keeping DNN User passwords secure: http://www.mitchelsellers.com/blogs...tnuke.aspx Basically, it says to use "HASHED in the passwordFormat line along with turning off the enablePasswordRetrieval (set it to FALSE). When I look at my web.config, I see the following for passwordFormat: passwordFormat="[Clear\|Hashed\|Encrypted]" When I look at enablePasswordRetrieval line, I see the following: enablePasswordRetrieval="[true\|false]" So, what does these entries mean? Do I delete the Clear and Encrypted to get HASHED for the passwordFormat? Are my passwords currently being formatted as "CLEAR"? Do I delete the "true" out of the line for enablePasswordRetrieval? How do I know what it is currently doing? Or, are these settings in the web.config reflected elsewhere in the CMS as a toggle that I can switch on or off? What gives? Thnaks, Mark

Mark Gordon Webmonkey

Joseph Craig
DNN MVP
Posts:11667

07/11/2011 11:09 AM
Mark, This is the section from a web.config file: <!-- Configuration for AspNetSqlMembershipProvider: connectionStringName="string" Name corresponding to the entry in <connectionStrings> section where the connection string for the provider is specified maxInvalidPasswordAttempts="int" The number of failed password attempts, or failed password answer attempts that are allowed before locking out a user?s account passwordAttemptWindow="int" The time window, in minutes, during which failed password attempts and failed password answer attempts are tracked enablePasswordRetrieval="[true\|false]" Should the provider support password retrievals enablePasswordReset="[true\|false]" Should the provider support password resets requiresQuestionAndAnswer="[true\|false]" Should the provider require Q & A minRequiredPasswordLength="int" The minimum password length minRequiredNonalphanumericCharacters="int" The minimum number of non-alphanumeric characters applicationName="string" Optional string to identity the application: defaults to Application Metabase path requiresUniqueEmail="[true\|false]" Should the provider require a unique email to be specified passwordFormat="[Clear\|Hashed\|Encrypted]" Storage format for the password: Hashed (SHA1), Clear or Encrypted (Triple-DES) description="string" Description of what the provider does --> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Encrypted" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database" /> I think that you were quoting from a comment block that shows all of the possibilities. You want to edit the line that actually defines the attributes of the AspNetSqlMembershipProvider. So you'll want to include: passwordFormat="Hashed" enablePasswordRetrieval="false" By default, the passwords are encrypted. I think that you can safely change the passwordFormat, and these will be changed for existing users only when you edit the password. But, to be on the safe side, make sure that you have a backup of the database and that you try this first on a test installation. Hashed passwords cannot be recovered!

Joe Craig, Patapsco Research Group Complete DNN Support

You are not authorized to post a reply.

Forums > DotNetNuke® > DotNetNuke® Questions

Latest Forum Posts

Can you Run Xcode in Linux? by Aman Singh

Can you Run Xcode in Linux?

Can you Run Xcode in Linux? by Aman Singh

Can you Run Xcode in Linux?

Billed for subscription that was canceled by Ryan

I was just billed for a subscription that was canc eled / inactivetive how do I get a refund for th

Meta Title and Meta Description are not showing properly by DNN User

Hi, On my site the meta title and meta descriptions are not showing properly. It's showing the m

Search is not functioning properly by DNN User

Site: https://www.prv-engineering.co.uk/search If I search any item only the 1st option under sea

Search is not functioning properly by DNN User

Site: https://www.prv-engineering.co.uk/search If I search any item only the 1st option under sea

DNN Platform import site optio by Melanie Weaver

Is it possible to import site template in DNN Platform 8.0? We have internal Evoq Content 8.1 tha

Events Module for DNN V5? by Tugboat

Would anyone have a download link for the version 5.0.3 Events Module? Thanks!

"Ghost" TabID Number? by Tugboat

Hi! I have a portal instance with multiple child portals and on one of the child portals, there i

RE: DNN Load Testing by ayman sharkawy

Hi. Have you already implemented a site using the DNN . And how the performance of the site and its

Publish All Pages by NSUOK

I'm using DNN Evoq Content Basic 8.2.0. When I make the HTML Pro module display on all pages, I h

Simpler profile needed in 9.2.2 by Donald

We are upgrading a DNN 4.8.4 site to DNN 9.2.2. On 4.8.4, the top bar shows the user’s name. If yo

How to link from dnnmodal popup to web site page? by Donald

Hello all. I am using a dnnmodal.show popup. The popup works correctly, showing the content that I

RE: Document Collaboration by Nick Davern

That feature would be super beneficial for our needs as well! Does anyone have an update as to if th

RE: DNN 9.2, how to set default theme? by Andy Stephenson DNN Creative

you do that under "Manage/Themes". Note the highlight blue border around the default container and d

DNN 9.2, how to set default theme? by Donald

Please disregard, found Manage Themes I cannot find how to set a default portal theme in DNN 9.2

RE: Looking for DataSprings Dynamic Forms by Andy Stephenson DNN Creative

Your best chance would be to contact Chad Nash @ http://www.datasprings.com/

Looking for DataSprings Dynamic Forms by Jakir HM

Looking for DataSprings Dynamic Forms 3.4 for DNN 4.x 5.x for my site (https://themasters2018s.com/)

RE: Help with Cycle Image Carousel not displaying images by peter

I had the same problem with the Will Strohl Content Slider after upgrading to DNN 9.1 The above an

RE: Object reference not set to an instance of an object by Andy Stephenson DNN Creative

Check this one might be useful: http://www.dnnsoftware.com/answers/im-tryin-to-move-my-site-to-pr

Used
By

Testimonials

| The SoloCoder Podcast | Google | Privacy Statement | Terms Of Use