The current DNN password reset functionality basically emails your password in clear-text.  Has anyone raised any security red flags about doing this these days?  Are there options I am missing to turn on to prevent that from happening and allow the user who forgot their password to somehow perform some secure self-service to do so?

Hi Michael,

The ASP.NET membership providers support a variety of configurations, most (All?) of which are supported by DNN.  If you are concerned about the plaintext transmission of passwords, you might consider disabling password retreival (enablePasswordReset), enabling password reset (enablePasswordReset), requiring a question and answer combination prior to allowing a user to reset (requireQuestionAndAnswer), and/or hashing passwords (versus encryption, using passwordformat).

All of these configuration settings are implemented under the ASP.NET membership element in your web.config.  The default DNN configuration, while perhaps at non-zero risk for an intercepted password via e-mail transmission, is also probably the easiest to administer.  When I recently implemented Commerce Server's UpmMembershipProvider within DNN, the provider's strict requirements (hashing, no retrieval, email addresses as username, etc) caused a lot of headaches.  I wish I could have just enabled user retrieval of passwords via email!

Brandon

Mitch Sellers wrote Please note that if you enable Question & Answer within a DNN installation you will have issues creating new portals and users via the admin interfaces.

Most of which are/will be fixed in 5.0