decrypting a password for use with the login control V2

Posted on 2006-04-19
Last Modified: 2012-06-27
I'm using the login control in conjunction with the createuserwizard control in V2.  I've created a user through the wizard control and now I want to log in under that user.  I've checked the DB and the user is being added in the membership table under the adventureworks DB.

I would like to get some sample code that would show me some methods of how to do this.

my current code is shown below.  however I suspect in order to read the password from the membership table I have to decrypt it first before it can be read.

Current code:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        bool Authenticated = false;
        Authenticated = SiteLevelCustomAuthenticationMethod(Login1.UserName, Login1.Password);
        e.Authenticated = Authenticated;
        if (Authenticated == true)


 private bool SiteLevelCustomAuthenticationMethod(string UserName, string Password)
        bool boolReturnValue = false;
        string strConnection = "server=comp2-28;Data Source=comp2-28;initial catalog=AdventureWorks;user id=se;password=Zaq!xsw2";
        SqlConnection Connection = new SqlConnection(strConnection);
        String strSQL = "Select * From aspnet_membership where username = UserName";
        SqlCommand command = new SqlCommand(strSQL, Connection);
        SqlDataReader Dr;
        Dr = command.ExecuteReader();
        while (Dr.Read())
            if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))
                boolReturnValue = true;
            return boolReturnValue;

I haven't started implementing this yet because i suspect the password vairable from login1 and the encrypted passwordanswer in the sql won't match due to encryption.  I've found the decrptpassword method but little examples on how to use it for C#.

public override string GetPassword (
      string username,
      string passwordAnswer

my question is; does the password in sql need to be decrypted first before it can be compared to the password in the login1 control, if so how is the decryptpassword method used to do so?  The select statement I suspect would return the encrypted value which would not compare to the string value;  if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))

How could I change this to work.  any suggestions are greatly appreciated.
Question by:Steve7423
    LVL 44

    Accepted Solution

    I suspect that if the password has been stored in an 'encrypted' form, that has been done with an IRREVERSIBLE hash - meaning that you cannot 'decrypt' the stored password.  You would 'encrypt' using the same Hash code, the supplied password, and then compare that encrypted version of the user supplied password with the stored password in the database - if they match - they match, and the user supplied the correct password on logging in. other wise they don't match, and the user did NOT supply the correct password, on logging in.

    This is MUCH more secure than 'decrypting' the stored password - if your code could decrypt it, then potentailly ANYONE could do the same.


    Author Comment

    what's happening now is that the createuserwizard control is managing the encryption.

    my web config:


    without this element the security config wizard causes errors and therefore unable to create roles or users for the web site.

    would I use this decrypting key to decrypt the PW in the DB?  if so how??

    as shown above; in order to compare the entry with the record in the DB,
    String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = password.

    the decryption of the password should take place prior to the select statement.
    seudo code:
    Eg: decr_PW = decryptpassword(login1.password)
    String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = decr_PW

    As I'm realatively new to ASP and the new controls in 2005 what's the way most people manage security and logins via login control?


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
    It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now