U4-3113 - Changing a members password in backoffice asks for old password

Created by Sebastiaan Janssen 11 Oct 2013, 11:27:03 Updated by Shannon Deminick 20 Oct 2013, 23:19:29

Relates to: U4-3044

I am not going to ask members for their old password.. ;-)

v7 beta


Shannon Deminick 20 Oct 2013, 23:19:29

The password change functionality is completely dependent on how the membership provider is configured. Since both the members and user's membership providers are actually implemented correctly now the fields displayed are based on their configuration.

Previously the configuration that we shipped with did not allow resetting a password, this has been changed so you can reset a members' password if you don't know what it is. Since we are saving the passwords as Hashed by default, that means you cannot retrieve the password.

The only way to change a password manually (i.e. not resetting it) without knowing what it is is to have the membership provider configured to:

  • Allow password retrieval
  • Save as encrypted (not hashed)

I've emailed @Seb and @Morten a big list of things that have been fixed with these providers and have backported the changes to a custom branch on 6.2 since I believe that they are pretty critical fixes

U4-3057 MembershipPasswordFormat problem at EncodePassword method in UmbracoMembershipProvider class U4-3176 UsersMembershipProvider.CreateUser does not encrypt/hash the password U4-3173 UserMembershipProvider.ChangePassword does not work U4-3174 UsersMembershipProvider.ResetPassword does not work U4-3186 Neither User or Member membership provider actually validates the password based on the config settings. U4-3158 user back office password policies doesn't adhere to membership provider rules

Priority: Normal

Type: Bug

State: Fixed

Assignee: Shannon Deminick

Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions: 7.0.0

Due in version: 7.0.0


Story Points: