Dnn.Platform icon indicating copy to clipboard operation
Dnn.Platform copied to clipboard
verified publisher icon dnnsoftware

[Enhancement]: Improve default password policy

Open BeniFreitag opened this issue 4 months ago • 4 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Description of problem

Default configuration of SqlMembershipProvider is unchanged since DNN Version 3 (about 20 years ago). The only password-requirement is 7 characters. Passwords like 0000000 are accepted by default.

Description of solution

Adapt default configuration as following (suggestion):

  1. at least 12 characters
  2. at least one special (non-alphanumeric) character
  3. at least one digit

Adapt web.config

<add name="AspNetSqlMembershipProvider"
          minRequiredPasswordLength="12"
          minRequiredNonalphanumericCharacters="1"
          passwordStrengthRegularExpression="(?=(.*\d){1,})"
/>

Documentation:

  1. MinRequiredPasswordLength
  2. MinRequiredNonalphanumericCharacters
  3. PasswordStrengthRegularExpression

Description of alternatives considered

No response

Anything else?

Related to https://github.com/dnnsoftware/Dnn.Platform/issues/4596

Do you plan to contribute code for this enhancement?

  • [ ] Yes

Would you be interested in sponsoring this enhancement?

  • [ ] Yes

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

BeniFreitag avatar Aug 27 '25 07:08 BeniFreitag

Hello Beni, I just checked https://www.cisa.gov/secure-our-world/use-strong-passwords and see they mention options of complex passwords but also they mention longer key phrases such as "legal tiny facility freehand probable enamel" or in our case "DotNetNuke is my Favourite CMS"

I agree with the longer is better but I prefer not to include the need for a special character or a number. I do support increasing this to 12 or even 16 characters.

markbreen avatar Aug 27 '25 08:08 markbreen

CISA also recommends to use a Password Manager. Passwords should be 16 characters, random and unique. I think https://www.cisa.gov/secure-our-world/use-strong-passwords was not updated anymore since months. We are experiencing a massive increase in cyberattacks every month. Current security recommendations say to use MFA or Passkey whenever possible. Secure passwords are only a temporary solution for DNN and therefore urgently necessary. In the long term, there is probably no way around MFA and Passkey.

BeniFreitag avatar Sep 01 '25 07:09 BeniFreitag

NIST Guidelines from the past few years have also suggested between 8-15 characters in length, depending on the era of the guidance.

Special consideration on this will be needed for upgrades vs. clean installations, it is easy for the new default to be changed, but much larger ramifications for existing sites.

What would the desired benefit/process be for existing sites? Simply a warning in the Security Analyzer?

mitchelsellers avatar Sep 02 '25 03:09 mitchelsellers

In addition to the security analyser warning, a similar warning to existing systems when choosing as new password or initially setting a password would also raise overall DNN ecosystem awareness of the need to be more vigilant. I second @BeniFreitag's comments "In the long term, there is probably no way around MFA and Passkey." This is the real solution, I accept it is not trivial.

markbreen avatar Sep 03 '25 14:09 markbreen