Thanks Sebastian.
Sounds like there is scope there for a utility to convert all encrypted password into a hash. If DNN already checks both, seems like a logical thing to do when DNN detects a change in the web.config from encrypted>hashed.
This would improve the security of the platform I reckon. Does anyone know if such a thing exists, or perhaps a 3rd-party tool?
Of course, the password remains encrypted, until the user updates it. If DNN password format is set to "hashed", the new password would be stored as hashed value.
Posted By Sebastian Leupold on 06 Sep 2019 11:43 AM Of course, the password remains encrypted, until the user updates it. If DNN password format is set to "hashed", the new password would be stored as hashed value.
I could not reproduce this. I tried to change the password for a user who had PasswordFormat=2 in the aspnet_membership table, and after the change, it still was 2. I created a new user, and the password format is 1 for this user. So changing the password does not "upgrade" the password format.
Happy DNNing! Michael
Michael TobischDNN★MVP
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.