I'm working with Umbraco 6.1.6, and I have some requirements around the back office login:
1) I need to enforce a password change every X number of days
2) I need a "Forgot your password?" link on the login page (which will present a form to enter username and have a new password emailed out. Possibly a secret question/answer component to this as well)
3) Lock out a user after X number of retries. (and display "Locked Out" when they try to log in)
4) A specific password strength/rules.
I know there are options on the "UsersMembershipProvider" membership provider for this, which is great. Here is what I have for the provider in my web.config:
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
requiresUniqueEmail="true"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="10"
minRequiredPasswordLength="5"
passwordStrengthRegularExpression=".*" /><!-- allow any strength password for now -->
However...
This only solves (4) and partially (3). None of this alters the login page in any way, so there is no forgot password link, if a user is locked out the form will just shake red like normal and not display a locked out message (so how do they know they're locked out?), and no way to enforce a change every X days.
I understand if I implement my own provider, I can enforce that a user must change their password. However I don't understand how I am to convey that to the user and present them with a form to do so.
I've found some articles on how to do some of this for a member login, but I need to do this for the back office login. I also considered creating my own login page, but I am not sure how to authenticate into the back office with it.
Any help on solving any of these 4 requirements would be greatly appreciated.
that is partially true, but I think the way is implemented right now is the best option.
If you give this sort of information back to the user it is some sort of information leakage. As a hacker you know that half of the information you've entered (username & pwd) is correct and you can start increasing your attack on that single username.
By default you will get locked out after 20 invalid attempts and I think an user would by then have some suspicion that he has doesn't have the correct password any longer or something else is wrong.
I do think that the lockout should be reset after a while (please vote up this issue; http://issues.umbraco.org/issue/U4-8645) and that an e-mail should be sent to the administrator of the site that an account is locked.
Back Office Login password reset
Hello,
I'm working with Umbraco 6.1.6, and I have some requirements around the back office login:
1) I need to enforce a password change every X number of days
2) I need a "Forgot your password?" link on the login page (which will present a form to enter username and have a new password emailed out. Possibly a secret question/answer component to this as well)
3) Lock out a user after X number of retries. (and display "Locked Out" when they try to log in)
4) A specific password strength/rules.
I know there are options on the "UsersMembershipProvider" membership provider for this, which is great. Here is what I have for the provider in my web.config:
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordFormat="Hashed" requiresUniqueEmail="true" maxInvalidPasswordAttempts="3" passwordAttemptWindow="10" minRequiredPasswordLength="5" passwordStrengthRegularExpression=".*" /><!-- allow any strength password for now -->However...
This only solves (4) and partially (3). None of this alters the login page in any way, so there is no forgot password link, if a user is locked out the form will just shake red like normal and not display a locked out message (so how do they know they're locked out?), and no way to enforce a change every X days.
I understand if I implement my own provider, I can enforce that a user must change their password. However I don't understand how I am to convey that to the user and present them with a form to do so.
I've found some articles on how to do some of this for a member login, but I need to do this for the back office login. I also considered creating my own login page, but I am not sure how to authenticate into the back office with it.
Any help on solving any of these 4 requirements would be greatly appreciated.
Thanks!
Hi
I am looking for the same features. Did you get anything related to this?
Thanks
I'm looking for a similar thing - users do not know they've been locked out so they just think the site is broken.
I've now upgraded to v7.5 which has the password reminder but still hust shows the red standard text when locked out.
Hi Richard,
that is partially true, but I think the way is implemented right now is the best option.
If you give this sort of information back to the user it is some sort of information leakage. As a hacker you know that half of the information you've entered (username & pwd) is correct and you can start increasing your attack on that single username.
By default you will get locked out after 20 invalid attempts and I think an user would by then have some suspicion that he has doesn't have the correct password any longer or something else is wrong.
I do think that the lockout should be reset after a while (please vote up this issue; http://issues.umbraco.org/issue/U4-8645) and that an e-mail should be sent to the administrator of the site that an account is locked.
Cheers, Jeffrey
is working on a reply...