DotNetNuke - Plain text to Encrypted/Hashed passwords

0
votes

I've inherited a DotNetNuke site that was built and managed by someone who thought storing user passwords as plain text was a good idea because he could easily look up a password and tell the user what it is if they forgot it and to log in as them if they had an issue. After recovering from my heart attack at discovering this and getting my mind to navigate away from the idea of how stupid that is, I need to fix it.

I know to change the web.config settings to use the correct password configuration, but was hoping someone else that's had to do this with a DotNetNuke site might provide some guidance on the best way to approach this. Should I just use standard .NET code and write an app to cycle through them and change them or do I need to use the DotNetNuke user objects? Any article links or sample code would be really helpful. I've found posts about doing this generally but not in the context of a DotNetNuke site and am unsure if there's any special considerations I need to take into account.

1
encryptionhashpasswordsasp.net-identitydotnetnuke
Do not encrypt the passwords, that is only marginally better because the encryption key will have to be available. Also hashing is not encryption. You need to use something such as PBKDF2 or bcrypt that will hash the passwords with a salt and iteration count.zaph
Yeah, I understand that. I'm just looking specifically for implementation advice / code sample for doing this with a DotNetNuke site.CodeConqueror

1 Answers

0
votes

Sadly there isn't any real documentation that I'm aware of that would handle this. My recommendation would be to make the web.config change to hashed. After doing this user resets will start using the new format.

You could then write a simple module that grabs all users with plan text and resets their password using the ChangePassword API call from the UserController API. It isn't elegant but would get the job done.