All Things DotNetNuke

Security and Password Strength

Aug 10

Written by:
8/10/2009 7:16 AM

In today’s internet world, security has become an everyday word. Any person working with a computer deals with security in some form or fashion. The most common way people interact with computer security is with a password. Several years ago many companies started beefing up their password requirements, many using multi-factor authentication. However, the World Wide Web in general is woefully behind in requiring strong passwords. I believe this comes from two main causes.

Most businesses on the Web are trying to attract people and don’t want to run potential customers off by requiring strong passwords.
Most users have so many sites/applications that require passwords, they go for simple passwords and many times use the same password for multiple sites.

Let’s get real. Even of the people in the computer industry who know the risks, many are influenced by one if not both of these thought processes. For that matter, do you use the same password for multiple sites, or a password that is derived from the site name and then your special something or pattern? If someone were to get your password on one Web site you visit, how much damage could they do to you or your clients by accessing other sites with that password? That is exactly how many Twitter’s corporate documents were recently exposed to a hacker (Story).

So what is the solution?
First: We as IT professionals need to make sure that our passwords and accounts are secure.
Second: We need to encourage others (clients and employers) to enact polices to require safer passwords.

Once the Business Solution/Policy is set, we find that the technical implementation in DotNetNuke is easy. There are up to three things that can/must be done.

Adjust existing web.config file settings for length and number of non-alphanumeric characters.
Add a "Regular Expression" in web.config for more complex scenarios if needed.
Change prompts so users know what is required.

All three of these can be done without making changes to the code base. Let’s look at each item individually.

First, adjust the existing web.config settings:
Open the web.config file and locate the “membership” node. Beneath the membership node is a “providers” node. Inside the providers node is a comment that shows most of the commonly used properties. The two properties we are interested in are minRequiredPasswordLength and minRequiredNonalphanumericCharacters. The default for these are:
minRequiredPasswordLength=7
minRequiredNonalphanumericCharacters=0

Although you can force these properties in the Regular Expression setting we will cover next, you should always make sure that these settings match any Regular Expression you use . For many situations, changing these two properties in the “add name” node that follows the comment will allow you to meet your business requirements and there would be nothing else to do. However if you need to require both capital and small letters and/or numbers, or some other complex requirement, you will need to use a Regular Expression as shown in the next step.

Second, add a Regular Expression for the membership provider to validate against::
On the same “add name” node as above, check to see if the
passwordStrengthRegularExpression="" property exists. If it does, you can place your Regular Expression between the quotes. If it does not exist, you will obviously need to add it. For this example, we will use the following Regular Expression:
^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\W])(?=.*[\d]).*$
Now I don’t claim to be a Regular Expression expert. In fact I generally use a Regular Expression validator to make sure what I am using works the way I think it will. The above Regular Expression does the following:

requires at least 6 characters in length	(?=.{6,})
must have at least one small letter	(?=.*[a-z])
must have at least one capital letter	(?=.*[A-Z])
must have at least one special character	(?=.*[\W])
must have at least one digit.	(?=.*[\d])

Adding passwordStrengthRegularExpression="^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\W])(?=.*[\d]).*$" as a property to the membership provider (same line in the web.config file as above) will validate any passwords being created against this Regular Expression. There is however one problem. When all we do is change the properties for length and special characters (as in the first section), DotNetNuke can pick these changes up and display the requirements to the end user. This way they know what is required and can create/change their password properly. Using a Regular Expression means that you must somehow communicate the requirements being enforced by the Regular Expression to the end user. Hence step three.

Third, changing the prompts so that users understand the requirements:
When you attempt to register with a password that does not meet the specified criteria, you get the InvalidPassword.Text message located in the SharedResources.resx file. (A different message is displayed when you attempt to change your password.) You can edit this file directly, but DotNetNuke provides a way for you to safely make these changes. If you click the Admin->Languages menu option you will be placed in the Language Editor. Click the SharedResources file and page down until you find the Resource Name “InvalidPassword.Text. Changing this text will alter the message displayed as mentioned above. Note: You should change this text in all languages being used by your site.
The following files/keys contain resources you may want to consider changing:

App_GlobalResources\SharedResources.resx => PasswordInvalid.Text
DesktopModules\Admin\Authentication\App_LocalResources\Login.ascx.resx => PasswordInvalid.Text

App_GlobalResources\SharedResources.resx => InvalidPassword.Text

If you are using the Language editor, you can reach these keys via the following paths:

Global Resources+SharedResources => PasswordInvalid.Text
Local Resources+ DesktopModules+Authentication+Login.ascx => PasswordInvalid.Text
Global Resources+SharedResources => InvalidPassword.Text

That’s it.

Try it and enjoy.

Trackback Print

Tags:

Categories:

Location: Blogs Parent Separator