User Password Settings

All of the mojoPortal content management system user password settings are located in the Administration menu, under Site Settings, Security tab.

When running a public web site, you should always keep in mind that no matter how strong your security measures, your database information might be compromised one day. If not by external hackers, then by malicious insiders. If that happens, all that will stand between the attackers and your sensitive data is how it is stored.

There are three choices of password security in the database:

  • Clear text in db - This is the most convenient, but it leaves your site and users vulnerable. Not recommended.
  • Encrypted in db - Better, but can still be compromised if someone gets hold of the encryption key (hence the importance of changing your Machine Key), and even without the key, the passwords can be decrypted using brute-force dictionary and targeted attacks.
  • Hashed in db/Cannot be decrypted - This is the recommended setting, and offers the best security. A one-way hash, as it's name implies, cannot be reversed. There is no way to reconstruct passwords, even with full database access.

If you are using the internal database authentication for login, or are using LDAP fallback authentication, There are two options for password recovery:

  • Allow Password Retrieval - This option is available if you are using clear text or encrypted passwords, but not for hashed passwords. It will send the user their current password through email, and so is the least secure option.
  • Allow Password Recovery - This option is recommended for best security. The user will be assigned a new random password, and that will be emailed. In order to use this regardless of your password storage method, be sure to uncheck the Allow Password Retrieval option as well. If both are checked, mojoPortal will first use retrieval if the password storage mode allows it.

If you check the option Require Password Change After Recovery/Reset, then when the user logs back in after the password email, they will be required to change their password. This is recommended.

In addition to strong password storage, and recovery options, you can apply extra levels of security. SSL encryption is very important for all sensitive traffic. The Password Strength Regular Expression setting can be used to ensure that users choose harder-to-guess passwords, and if you don't want to go that far, even something as simple as enabling Show Password Strength On Registration Page can be quite effective in encouraging users to pick better passwords.

Created by Jamie Eubanks 2011-02-08