Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Any configuration to require previous password when changing password?



We had a security audit and they pointed out that changing an users password doesn't require the current password.

Is there a configuration or such that would enable requiring of the current password when an user is changing a password?



Apr 26, 2016 12:10

For editors and You can set the new password without the old.

For your other users, that is solution specific and needs to be built by a developer. Normally you have a link to a "change password" function on your profile page. Add an extra field to gui and easiest is to use the membership provider method change password in the backend...

 var ICanHazSuccess = System.Web.Security.Membership.Provider.ChangePassword("Daniel", "oldpass", "newpass");
Edited, Apr 26, 2016 13:30


We recently found the same issue in a security audit. It has been reported to the support. I'll keep you posted about the outcome of it.

Apr 27, 2016 22:55

Thanks for the replies and Mattias for making a ticket for it.

In our case this is would be needed for editors and admins, figured that it would just be some sort of a setting in web.config to enable.

Apr 28, 2016 11:31


Hello again! Have you received any news regarding the ticket?

Oct 10, 2016 8:55

Sorry I haven't reported back here. Epi has accepted it as a bug and it's in their todo, no estimate on when it will be implemented though.

Oct 10, 2016 11:20
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.