Commerce Manager: why do I have to give the current password?

Vote:
 

In Commerce Manager, there is a link to change a contact's password:

When you click this link, the following popup opens:

As this screen asks for the contact's current password, it can't be used to reset a password upon the contact's request (as I don't know their password). I can however remove the account altogether and create a new account, where I'm never asked for the current password.

What is the rationale for asking for a contact's current password on this screen?

#195769
Aug 07, 2018 14:22
Vote:
 

This depends on the membership setting in your web.config IIRC.It requires old password if you tell it to.

#195779
Aug 07, 2018 15:16
Vote:
 

AlexNL,
I believe this section of the Commerce Developer Guide covers membership settings:

https://world.episerver.com/documentation/developer-guides/commerce/security/Configuring-membership-providers/

#195785
Aug 07, 2018 16:30
Vote:
 

AlexNL,
I believe this section of the Commerce Developer Guide covers membership settings:

https://world.episerver.com/documentation/developer-guides/commerce/security/Configuring-membership-providers/

#195786
Aug 07, 2018 16:31
Vote:
 

Hi both,

Thanks for your inputs. I've had a look at the configuration settings mentioned, and also used dotPeek to figure out how the page is supposed to work internally. From my understanding, the "change password" screen won't ask for the current password if enablePasswordRetrieval is set to true in the membership provider's configuration. 

This would mean storing user passwords in a reversible matter (or worse.. plain text) which seems unpreferable?

Am I right here?

#195947
Aug 13, 2018 13:24
Vote:
 

It is not stored in plain text unless you configure that.  It should not matter if you enable the setting on commerce manager especially if it is behing the firewall or has ip restrictions.  If this is the case the only people who should have access would be able to reach the url of the site.

If you switch to asp.net identity which is a little more secure than memebership than there is no way to retrieve the password anyway, only reset is allowed.

#195953
Aug 13, 2018 19:53
Vote:
 

Not really. MembershipProvider allows you to choose between hashed password (not recoverable) and encrypted password (recoverable). Yes using encryped password sounds like anti best practice, but it is not that bad. (EDIT: Yes, you can tell it to store passwords in clear text as Mark said, but as you pointed out, it should not be an option)

The reason that dialog asks for current password was because changing password (MembershipUser.ChangePassword) needs the current password. However I agree it is not very convenient. There might be a workaround for that. I will file a bug to see if we can do better. 

#195955
Edited, Aug 14, 2018 7:43
Vote:
 

An update to the issue: The bug COM-7725 was fixed and released in Commerce 12.8

- If you allow reset password, or recover password (which is a less secure option compared to reset password), you are no longer asked to suply the current password. Except if you are changing your own password (which is reasonable!) 

#197719
Oct 11, 2018 11:20
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.