In Commerce Manager, there is a link to change a contact's password:
When you click this link, the following popup opens:
As this screen asks for the contact's current password, it can't be used to reset a password upon the contact's request (as I don't know their password). I can however remove the account altogether and create a new account, where I'm never asked for the current password.
What is the rationale for asking for a contact's current password on this screen?
This depends on the membership setting in your web.config IIRC.It requires old password if you tell it to.
AlexNL,I believe this section of the Commerce Developer Guide covers membership settings: https://world.episerver.com/documentation/developer-guides/commerce/security/Configuring-membership-providers/
Thanks for your inputs. I've had a look at the configuration settings mentioned, and also used dotPeek to figure out how the page is supposed to work internally. From my understanding, the "change password" screen won't ask for the current password if enablePasswordRetrieval is set to true in the membership provider's configuration.
This would mean storing user passwords in a reversible matter (or worse.. plain text) which seems unpreferable?
Am I right here?
It is not stored in plain text unless you configure that. It should not matter if you enable the setting on commerce manager especially if it is behing the firewall or has ip restrictions. If this is the case the only people who should have access would be able to reach the url of the site.
If you switch to asp.net identity which is a little more secure than memebership than there is no way to retrieve the password anyway, only reset is allowed.
Not really. MembershipProvider allows you to choose between hashed password (not recoverable) and encrypted password (recoverable). Yes using encryped password sounds like anti best practice, but it is not that bad. (EDIT: Yes, you can tell it to store passwords in clear text as Mark said, but as you pointed out, it should not be an option)
The reason that dialog asks for current password was because changing password (MembershipUser.ChangePassword) needs the current password. However I agree it is not very convenient. There might be a workaround for that. I will file a bug to see if we can do better.
An update to the issue: The bug COM-7725 was fixed and released in Commerce 12.8
- If you allow reset password, or recover password (which is a less secure option compared to reset password), you are no longer asked to suply the current password. Except if you are changing your own password (which is reasonable!)