Solved

How to change the SQL Membership security question Answer, stored as a hashed value with a PasswordSalt

Posted on 2008-10-21
3
915 Views
Last Modified: 2012-05-05
I am developing a website that uses forms authentication.  I have set up the default SQL Membership Provider database for this.  

For the Membership SQL Provider, I have set the following:  requiresQuestionAndAnswer="true", passwordFormat="Hashed"...etc.

On an page in my site, I am allowing the user to change their security question and answer.  In the C# code-behind, I tried using the default stored procedure: aspnet_Membership_ChangePasswordQuestionAndAnswer(appname, username, newQuestion, newAnswer)
to reset the security question and answer.  This works; except that the security answer is saved in the Membership table as a STRING value; NOT as a salted, hashed value.

So, then I tried researching how to manually convert the security answer from a string value to a salted/hashed value.  
First I tried this: FormsAuthentication.HashPasswordForStoringInConfigFile(saltValue + answerValue, hashtype)....(where hashtype is equal toMembership.HashAlgorithmType).  This gave me a hashed value, but not the hashed value I was after; it didn't work for me.

Then I tried implementing this logic...again, this gave me a hashed value, but not the hashed value I needed:
    public static string HashStringWithSalt(string answerValue, string saltValue)
    {
        byte[] salt = System.Convert.FromBase64String(saltValue);
        byte[] answer = System.Text.Encoding.Unicode.GetBytes(answerValue);

        // Mix together
        byte[] saltWithAnser = new byte[salt.Length + answer.Length];
        System.Buffer.BlockCopy(salt, 0, saltWithAnser, 0, salt.Length);
        System.Buffer.BlockCopy(answer, 0, saltWithAnser, salt.Length, answer.Length);

        // Get hash value and return a base64-encoded string
        byte[] hash = new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(saltWithAnser);
       
        return Convert.ToBase64String(hash);
    }


NOTE: I know that I did not receive the proper hashed values from my trials above because I have added several user accounts to my membership database; lets say UserA and UserB.  I have used the same password and same security question/answer for these accounts (obviously for testing purposes only).  Then I copied the PasswordSalt value for UserA into UserB's PasswordSalt in the Membership table.  Then on my web page, I changed my security answer for UserB, and the security answer hashed value I received did not match the hashed value for UserA's security answer.

I am very new to ASP.NET, and have never set up a website using Forms Authentication before.  So I will be greatful for any help...I have been searchign the web for hours and can't seem to find a solution that fits my problem...basically I need to allow the user to reset their security question & answer; and save the security answer as a salted/hashed value.
0
Comment
Question by:farminsure
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Accepted Solution

by:
farminsure earned 0 total points
ID: 22811974
I had tried using the ChangePasswordQuestionAndAnswer stored procedure that was created by default when I established the SQL membership provider and this didn't work.  
So I thought using the ChangePasswordQuestionAndAnswer method would produce the same results, but it didn't.  The method does exactly what I need; it properly hashes my question Answer with the appropriate PasswordSalt.  
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question