Solved

How to change the SQL Membership security question Answer, stored as a hashed value with a PasswordSalt

Posted on 2008-10-21
3
913 Views
Last Modified: 2012-05-05
I am developing a website that uses forms authentication.  I have set up the default SQL Membership Provider database for this.  

For the Membership SQL Provider, I have set the following:  requiresQuestionAndAnswer="true", passwordFormat="Hashed"...etc.

On an page in my site, I am allowing the user to change their security question and answer.  In the C# code-behind, I tried using the default stored procedure: aspnet_Membership_ChangePasswordQuestionAndAnswer(appname, username, newQuestion, newAnswer)
to reset the security question and answer.  This works; except that the security answer is saved in the Membership table as a STRING value; NOT as a salted, hashed value.

So, then I tried researching how to manually convert the security answer from a string value to a salted/hashed value.  
First I tried this: FormsAuthentication.HashPasswordForStoringInConfigFile(saltValue + answerValue, hashtype)....(where hashtype is equal toMembership.HashAlgorithmType).  This gave me a hashed value, but not the hashed value I was after; it didn't work for me.

Then I tried implementing this logic...again, this gave me a hashed value, but not the hashed value I needed:
    public static string HashStringWithSalt(string answerValue, string saltValue)
    {
        byte[] salt = System.Convert.FromBase64String(saltValue);
        byte[] answer = System.Text.Encoding.Unicode.GetBytes(answerValue);

        // Mix together
        byte[] saltWithAnser = new byte[salt.Length + answer.Length];
        System.Buffer.BlockCopy(salt, 0, saltWithAnser, 0, salt.Length);
        System.Buffer.BlockCopy(answer, 0, saltWithAnser, salt.Length, answer.Length);

        // Get hash value and return a base64-encoded string
        byte[] hash = new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(saltWithAnser);
       
        return Convert.ToBase64String(hash);
    }


NOTE: I know that I did not receive the proper hashed values from my trials above because I have added several user accounts to my membership database; lets say UserA and UserB.  I have used the same password and same security question/answer for these accounts (obviously for testing purposes only).  Then I copied the PasswordSalt value for UserA into UserB's PasswordSalt in the Membership table.  Then on my web page, I changed my security answer for UserB, and the security answer hashed value I received did not match the hashed value for UserA's security answer.

I am very new to ASP.NET, and have never set up a website using Forms Authentication before.  So I will be greatful for any help...I have been searchign the web for hours and can't seem to find a solution that fits my problem...basically I need to allow the user to reset their security question & answer; and save the security answer as a salted/hashed value.
0
Comment
Question by:farminsure
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Accepted Solution

by:
farminsure earned 0 total points
ID: 22811974
I had tried using the ChangePasswordQuestionAndAnswer stored procedure that was created by default when I established the SQL membership provider and this didn't work.  
So I thought using the ChangePasswordQuestionAndAnswer method would produce the same results, but it didn't.  The method does exactly what I need; it properly hashes my question Answer with the appropriate PasswordSalt.  
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question