We are using Dynamic Login, and we need an alternative to the "Send Password" option that is sending the unencrypted user password in an email to the user. The flow we would like is for the user to be able to enter username or email, and to be able to request a password reset. Ideally, user would be taken to a page on the site where a new password could be entered and confirmed, and then returned to the login screen to login. Alternatively, user could receive an email with a new system-generated temporary password, with instructions to login and expect to be required to do an immediate password change.

Are either of these process flows possible with DR and DL?

Following is edited message (names and site specifics obfuscated) received yesterday from an unhappy user:

From: irate user

Date: August 16, 2010 4:40:05 PM EDT

To: admin@oursite.com

Subject: Re: The Oursite Password Reminder

Uhmmm... where do I start?

In our world today, we have passwords for everything. Most people use the same password for a LOT of different venues. If compromised in one place, it's compromised in all those places. So your note at the end of the attached email, "please disregard this Message" is kind of absurd, right? Translated, it means, we just sent you somebody's access codes that they probably use in a lot of other places, so go ahead and have a good time. No, wait, I mean just pretend you didn't ever get this note."  Heck, why have passwords at all, eh?

Next, and this may be a little technical, but there is ABSOLUTELY NO REASON in the world anybody, including me, should have access to my unencrypted password from your system. My unencrypted password should never see the light of day. It gets encrypted by my browser using SSL, sent to your server where it SHOULD be immediately one-way encrypted for storage. With one-way encryption, the original cannot be recovered... even NSA works up a sweat trying to do it. The rest of us can only reset the password and have the user start again.

I consider your online security vis a vis passwords to be a deep breach of trust. I suggest you hire a serious professional to rectify the situation IMMEDIATELY, esp. before word gets around town... and beyond.

--I.rate



On Aug 16, 2010, at 4:15 PM, admin@oursite.com wrote:

Dear Irate User,

You have requested a Password Reminder from Oursite.

Please login using the following information:

Portal Website Address: www.oursite.com

Username:   userxxx

Password:

Sincerely,

Oursite

*Note: If you did not request a Password Reminder, please disregard this Message.

Hi Worth - Thanks for your feedback. We have had many requests on how the request a password feature works within Dynamic Login however typically each users request seems to be different/unique. For a time being we changed the feature to be similar to how DNN Login handles password change requests however too many clients wanted it changed back to the original method where it simply emails the user their password based on their username. I think what we should do is offer multiple methods to let you choose (and to some degree you already can).

Just a few comments:
1. Right now the password only gets emailed to the users email address, the password is still encrypted in the database. This is also how DNN sends passwords out, it sends them encrypted in the database but then decrypted when sending the password to the user via email.

2. I think its pretty common to either a. receive an email that includes your password within a forgot password system or b. receive a link that will at least allow you to 'create a new password' even if it doesn't include your old password in the email. Currently Dynamic Login and the DNN Core Login only offers a (it does send the password, not just a hyperlink to reset the password).

For now, if you want to user to enter other security questions you can implement that feature in Dynamic Registration. You can also force the user to the main DNN Forgot Password Page or any other page you might want by simplying change the link within the Dynamic Login Template to that forgot password link. To find the hyperlink you can click 'Forgot password' in the DNN Core Login module.

I would agree though that Dynamic Login would benefit int he future by having more options for how the password retrieval worked. I think at the least the ability to now send an email but rather send a hyperlink to the user to click on so that they can reset their password would be the best. We will review this for future versions, if you need something outside of our release schedule you can also pick up Premium Support hours and have us handle it directly based on your specs.

Thanks,

Chad

Chad,

I certainly see the dilemma, if part of the user base wants the simple ability to send password via email and part wants to avoid it. I would agree that having choices is the best answer.

For now, I think we will have to handle it by disabling the "Send Password" functionality, and inviting the user to contact us if they can't login. We'll reset password, which will trigger an email with the generated password, and we'll follow up with an email instructing them to login, then go to their profile to create a new password. It would be nice if the "force password change" functionality worked with DL, but it apparently doesn't. I tried it on a test account, but the test user was able to login with existing password.

I think the best process, for us, would be the combination of the challenge question, followed by a link to a password change page. That way, we would be maximizing the likelihood that it is the real user asking to make the change, and the change could be made directly on the site, without having to transmit passwords via email.

Next best would be for a "forgot password" link on the login page to trigger password reset, with email sent with generated password, and "force password change" status set so that, when user logs in with generated password, s/he is forced to the password change page.

Thanks for considering this.

Worth

Thanks for your feedback Worth... We will review all of the different options for future versions and hopefully offer more flexibility.

Also - The force password change should be integrated with Dynamic Login, within module configuration there is an option for what page you want the user to be navigated too for both the force password change and force profile change when they are enabled. The only thing is that you can redirect them but they will still be signed in at this time.

Thanks,

Chad

Hi, I just thought I would jump in here because this is something of great interest to me.

It seems to me that "Irate User" is suggesting the use of "Hashed" passwords, which are one way encrypted, cannot be retrieved, and can only be reset.

While DNN has technically alwasys supported hashed passwords, in reality they could not be used because things like require question/answer just did not work.

Recently I did some testing with DNN v5.5 with hashed passwords, and DNN guys have finally implemented it correctly. I posted some info about this in the DNN Authentication forum: http://www.dotnetnuke.com/Community...fault.aspx

Chad, it would be great if you could verify that DR and DL work properly with DNN 5.5 configured for hashed passwords.

The concept of truly forcing a user to change their password after it has been reset and emailed to them would be a very good enhancement to DL. It really needs to support that properly.

Rob Ralston

Hi Chad,

Any thoughts about this?

Rob

Hi Rob,

This is on our list to review but we have several other items in front of it (specifically a few paid Premium Support items and a few items related to Image Uploads syncing with the new Profile Image that DNN offers). So, I agree that we need to verify that cashed passwords work with both DR and DL but at this time its a little further down the list.

-Chad

The cached password access need is not as real as the need to provide a "change password" page, i.e. an option, when a password reset is chosen by the administrator, or the user enters email or username and asks for a new password, instead of sending a generated temporary password, send an email with a link that puts the user on a page with username already filled, and the ability for the user to create a new password.

Can that be provided soon?

Hi Chad, we have one question about that: we use DL version 2.20.10 and is not working the "force password change", how we can do that? because in the DNN login option works fine.

Please can you help me on that?

Thanks!!!

Hi Christian,

Dynamic Login 2.2 is more than 3 years old and is no longer supported. Please consider upgrading to the latest version of Dynamic Login 4.0 to make sure you have all the latest fixes and enhancements. Thanks!

https://www.datasprings.com/products/dnn-modules/dynamic-login


Candace

Thanks a lot river guide, but I have a little problem, our sites are DNN version 4.7 & 4.82, and I cant upgrade at this moment. Can you help me to know if are a DL version with this functionallity for these DNN versions?

Thanks again,

Christian.