BugNET

Open source issue tracking & project management
Welcome to BugNET Register | Login |
  Search

BugNET Forums

 
  Forum  Development  General develop...  Improve security by changing a few settings in web.config
Previous Previous
 
Next Next
New Post 1/21/2007 5:36 AM
User is offline ChrisMan
22 posts
No Ranking


Improve security by changing a few settings in web.config 
Davin,

There are a few settings that I reckon to be changed in the web.config related to security, in the AspNetSqlMembershipProvider key:
  • enablePasswordRetrieval="false" rather than true
  • passwordFormat="Hashed" rather than Encrypted
  • propose a commented sample for the passwordStrengthRegularExpression, but so that bugnet admins can easily know they can change it and how to do it (for instance "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" ). Not all users may need or want it, so it can be let as a comment.
Cheers,
Chris
 
New Post 1/21/2007 7:00 AM
User is offline admin
634 posts
bugnetproject.com
1st Level Poster




Re: Improve security by changing a few settings in web.config 
I originally had the settings set this secure but we loose some functionality like the password reminder, user changing their password etc. Encrypted passwords is a mandatory and import step forward but im not sure we need to hash the passwords.

What I think we should do is document this as a way to make the issue tracker more secure for those admins that wish to install it this way.   Once you have installed the issue tracker with hashed there is no way to switch unless you want to kill your user passwords as well.

What do you think?

Davin Dubeau
BugNET - Core Developer

 
New Post 1/22/2007 3:34 AM
User is offline zespri
10 posts
No Ranking


Re: Improve security by changing a few settings in web.config 
When in comes down to settings, every user of a software product would want their own. So the best a product could do is to set out some default settings suitable for most users and document other options so everybody could configure the product to suit their needs.
BugNet is severly lacking documintation which is not a bad thing, considering that the time that could be spent on documentation the author spent on the development (i.e. adding new useful feature, fixing bugs). And I actually want to take a moment and say thank you to Davin, who hasn't lose the interest to the project after all this time the project being developed.
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  Development  General develop...  Improve security by changing a few settings in web.config

Forum Policy

These Discussion Forums are dedicated to the discussion of the BugNET issue tracker.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:
1. No Advertising.
2. No Flaming or Trolling.
3. No Profanity, Racism, or Prejudice.
4. Site Moderators have the final word on approving/removing a thread or post or comment.
5. English language posting only, please.

 

Copyright 2008 BugNET   Terms Of Use  Privacy Statement  Page generated in 0.1875 seconds.