Solved

How to change the SQL Membership security question Answer, stored as a hashed value with a PasswordSalt

Posted on 2008-10-21
3
912 Views
Last Modified: 2012-05-05
I am developing a website that uses forms authentication.  I have set up the default SQL Membership Provider database for this.  

For the Membership SQL Provider, I have set the following:  requiresQuestionAndAnswer="true", passwordFormat="Hashed"...etc.

On an page in my site, I am allowing the user to change their security question and answer.  In the C# code-behind, I tried using the default stored procedure: aspnet_Membership_ChangePasswordQuestionAndAnswer(appname, username, newQuestion, newAnswer)
to reset the security question and answer.  This works; except that the security answer is saved in the Membership table as a STRING value; NOT as a salted, hashed value.

So, then I tried researching how to manually convert the security answer from a string value to a salted/hashed value.  
First I tried this: FormsAuthentication.HashPasswordForStoringInConfigFile(saltValue + answerValue, hashtype)....(where hashtype is equal toMembership.HashAlgorithmType).  This gave me a hashed value, but not the hashed value I was after; it didn't work for me.

Then I tried implementing this logic...again, this gave me a hashed value, but not the hashed value I needed:
    public static string HashStringWithSalt(string answerValue, string saltValue)
    {
        byte[] salt = System.Convert.FromBase64String(saltValue);
        byte[] answer = System.Text.Encoding.Unicode.GetBytes(answerValue);

        // Mix together
        byte[] saltWithAnser = new byte[salt.Length + answer.Length];
        System.Buffer.BlockCopy(salt, 0, saltWithAnser, 0, salt.Length);
        System.Buffer.BlockCopy(answer, 0, saltWithAnser, salt.Length, answer.Length);

        // Get hash value and return a base64-encoded string
        byte[] hash = new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(saltWithAnser);
       
        return Convert.ToBase64String(hash);
    }


NOTE: I know that I did not receive the proper hashed values from my trials above because I have added several user accounts to my membership database; lets say UserA and UserB.  I have used the same password and same security question/answer for these accounts (obviously for testing purposes only).  Then I copied the PasswordSalt value for UserA into UserB's PasswordSalt in the Membership table.  Then on my web page, I changed my security answer for UserB, and the security answer hashed value I received did not match the hashed value for UserA's security answer.

I am very new to ASP.NET, and have never set up a website using Forms Authentication before.  So I will be greatful for any help...I have been searchign the web for hours and can't seem to find a solution that fits my problem...basically I need to allow the user to reset their security question & answer; and save the security answer as a salted/hashed value.
0
Comment
Question by:farminsure
3 Comments
 

Accepted Solution

by:
farminsure earned 0 total points
ID: 22811974
I had tried using the ChangePasswordQuestionAndAnswer stored procedure that was created by default when I established the SQL membership provider and this didn't work.  
So I thought using the ChangePasswordQuestionAndAnswer method would produce the same results, but it didn't.  The method does exactly what I need; it properly hashes my question Answer with the appropriate PasswordSalt.  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question