Any configuration to require previous password when changing password?

Vote:
 

Hey!

We had a security audit and they pointed out that changing an users password doesn't require the current password.

Is there a configuration or such that would enable requiring of the current password when an user is changing a password?

Thanks,

Jakke

#147835
Apr 26, 2016 12:10
Vote:
 

For editors and admins...no. You can set the new password without the old.

For your other users, that is solution specific and needs to be built by a developer. Normally you have a link to a "change password" function on your profile page. Add an extra field to gui and easiest is to use the membership provider method change password in the backend...

https://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.changepassword(v=vs.110).aspx

 var ICanHazSuccess = System.Web.Security.Membership.Provider.ChangePassword("Daniel", "oldpass", "newpass");
#147837
Edited, Apr 26, 2016 13:30
Vote:
 

Hi,

We recently found the same issue in a security audit. It has been reported to the support. I'll keep you posted about the outcome of it.

#147931
Apr 27, 2016 22:55
Vote:
 

Thanks for the replies and Mattias for making a ticket for it.

In our case this is would be needed for editors and admins, figured that it would just be some sort of a setting in web.config to enable.

#147939
Apr 28, 2016 11:31
Vote:
 

@MattiasBomelin

Hello again! Have you received any news regarding the ticket?

#162063
Oct 10, 2016 8:55
Vote:
 

Sorry I haven't reported back here. Epi has accepted it as a bug and it's in their todo, no estimate on when it will be implemented though.

#162070
Oct 10, 2016 11:20
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.