DotNetNuke does a pretty good job on security, and problems are quite rare. But if your password is not safe enough some miscreant can just walk through your front door and own your site.
There is areally good article on lifehacker.com about password safety and how long it takes to break a password: http://bit.ly/9gTH4m
I thoroughly recommend reading this and changing your passwords if they are in the easy to medium category.
But what actually happens if someone is trying to guess your host password in DotNetNuke? They know that your user name is most likely going to be "host", so thats half the effort saved already. I first wrote about this a long time ago: when installing DotNetNuke, it's a really good idea to use a different username.
Lets say that someone is trying to break your host password right now. How are you going to know? They might end up locking the host user account due to too many attempts. But if it's the middle of the night, the account lock will be gone by the time you log in in the morning. You wouldn't even know.
You could look in the event log and see the failed login attempts. But with a default of only 10 records shown, the login failures would quickly be moved off the first screen.
So we've actually found a little flaw in DotNetNuke - it can gives you a false sense of security when in fact you don't actually know if someone is attacking your site. It doesn't make it easier for someone to break into your site, but it does hide what is going on.
What can be done about it?
DotNetNuke should have some kind of mechanism to say to the host user when he logs in "Alert: There were 4,361 failed login attempts in the last 24 hours. This indicates that a brute force password attack is underway."
And even better, there should be some kind of IP auto ban feature. Once you've had x number of failed logins in y hours, you are just banned.
There's actually quite a few little hidden flaws just like this in DotNetNuke.
Things that you don't really notice, that don't make your site weaker, but do mean that you don't have the level of control over your own website's security that you should have. But when you stop to think about it, these are features that are obviously missing and would make a your job as a site admin much easier.
I've got more to say on these flaws coming up soon, so keep an eye open for them. If you've got concerns about security in DotNetNuke, send me an email or even a tweet to @bestwebsitesnz. I'd love to hear from you.