Users all locked out through accidental password setting change?

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

7/17/2021 5:40:30 AM
Gravatar
Total Posts 121

Users all locked out through accidental password setting change?

Hi, we've encountered a worrying situation on a significant website - all users suddenly locked out. Password recover and change allowed them to get back in. On inspecting settings and database, the site had been switched from "Hashed in db/Cannot be decrypted"" to "Clear Text in db", and all passwords had changed to short random strings, and password salts had gone.

We were able to restore everything easily enough, but the worry is how did this happen? Only one person accessed the site settings over the affected period (we know this from IIS logs), and he is an experienced developer who knows what he's doing - he was simple setting the site to Closed, then unclosing it a few minutes later after a code update. He swears on everything that he did not make this change, and cannot see how he could have done it accidentally either.

But we can see no other possibility than somehow he made this change accidentally while using the site settings page. 

So I'm wondering a) is there any other possibility for how this happened, and b) could this setting be better protected to prevent this change? For example a control that needs to be "unlocked" to make a change, or at least showing a warning and confirm/cancel dialogue? Or even remove this from the UI completely and have it as only settable in the database. I don't think there can ever be a scenario where this would be a desirable change, and surely all sites should be in "Hashed in db/Cannot be decrypted" mode?

7/19/2021 9:41:10 AM
Gravatar
Total Posts 1200
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Users all locked out through accidental password setting change?

I don't have a guess as to how this might have happened outside of an admin change, but I definitely agree that the clear text passwords setting should be deprecated. At upgrade migrate any site with clear text passwords to hashed and salted, and don't allow this setting at all going forward.

9/29/2021 2:53:25 PM
Gravatar
Total Posts 2188

Re: Users all locked out through accidental password setting change?

Hey guys,

I'm implementing these changes:

  1. Password format dropdown box is disabled by default.
  2. Require a button to be pressed to enable the password format dropdown box.
    1. Button is disabled if the AllowPasswordFormatChange is set to false in web.config/user.config (this is already the case with the dropdown)
    2. Button is disabled if the site being used to edit the site settings is not the "ServerAdminSite"

I'm adding these roadmap items

  1. Remove the clear text option entirely. There's no good reason for it anymore. Existing sites will be switched to hashed/salted on upgrade.
  2. Reset or expire all user passwords. This will be disabled by default and will only be allowed by admins on the server "ServerAdminSite".

Thanks,
Joe