Commerce Manager: why do I have to give the current password?

AlexNL
Member since: 2016
 

In Commerce Manager, there is a link to change a contact's password:

When you click this link, the following popup opens:

As this screen asks for the contact's current password, it can't be used to reset a password upon the contact's request (as I don't know their password). I can however remove the account altogether and create a new account, where I'm never asked for the current password.

What is the rationale for asking for a contact's current password on this screen?

#195769 Aug 07, 2018 14:22
  • Quan Mai
    Member since: 2011
     

    This depends on the membership setting in your web.config IIRC.It requires old password if you tell it to.

    #195779 Aug 07, 2018 15:16
  • Bob Bolt
    Member since: 2014
     

    AlexNL,
    I believe this section of the Commerce Developer Guide covers membership settings:

    https://world.episerver.com/documentation/developer-guides/commerce/security/Configuring-membership-providers/

    #195785 Aug 07, 2018 16:30
  • Bob Bolt
    Member since: 2014
     

    AlexNL,
    I believe this section of the Commerce Developer Guide covers membership settings:

    https://world.episerver.com/documentation/developer-guides/commerce/security/Configuring-membership-providers/

    #195786 Aug 07, 2018 16:31
  • AlexNL
    Member since: 2016
     

    Hi both,

    Thanks for your inputs. I've had a look at the configuration settings mentioned, and also used dotPeek to figure out how the page is supposed to work internally. From my understanding, the "change password" screen won't ask for the current password if enablePasswordRetrieval is set to true in the membership provider's configuration. 

    This would mean storing user passwords in a reversible matter (or worse.. plain text) which seems unpreferable?

    Am I right here?

    #195947 Aug 13, 2018 13:24
  • Mark Hall
    Member since: 2011
     

    It is not stored in plain text unless you configure that.  It should not matter if you enable the setting on commerce manager especially if it is behing the firewall or has ip restrictions.  If this is the case the only people who should have access would be able to reach the url of the site.

    If you switch to asp.net identity which is a little more secure than memebership than there is no way to retrieve the password anyway, only reset is allowed.

    #195953 Aug 13, 2018 19:53
  • Quan Mai
    Member since: 2011
     

    Not really. MembershipProvider allows you to choose between hashed password (not recoverable) and encrypted password (recoverable). Yes using encryped password sounds like anti best practice, but it is not that bad. (EDIT: Yes, you can tell it to store passwords in clear text as Mark said, but as you pointed out, it should not be an option)

    The reason that dialog asks for current password was because changing password (MembershipUser.ChangePassword) needs the current password. However I agree it is not very convenient. There might be a workaround for that. I will file a bug to see if we can do better. 

    #195955 Edited, Aug 14, 2018 7:43
  • Quan Mai
    Member since: 2011
     

    An update to the issue: The bug COM-7725 was fixed and released in Commerce 12.8

    - If you allow reset password, or recover password (which is a less secure option compared to reset password), you are no longer asked to suply the current password. Except if you are changing your own password (which is reasonable!) 

    #197719 Oct 11, 2018 11:20