prevent past used passwords while changing

Posted on 2009-04-27
Last Modified: 2012-08-13
I am developing a web application using ASP.NET, VS 2008, framework 3.5
I am using sql membership provider for user authentication.
When a user is changing his password, I want to prevent him using previously used passwords.
How to implement this ?
Question by:vu3lmg
    LVL 9

    Accepted Solution

    Assuming you are using a hashed password format you could add a new table, let's say "UserPasswordCache" where you can store the recently used password hashes alongside the users' primary key and see if you get a match there when a user tries to set a new password.
    LVL 1

    Author Comment

    I am thinking of doing that,  just wanted to know if there is an easy way around .
    Any examples or code downlodable from the net ?
    LVL 9

    Assisted Solution

    Just hook into ValidatingPassword event of the MembershipProvider class and store a MD5 or SHA hash of the password in your password history there if it's succesful. Also check if you're dealing with a valid and really new password there.
    LVL 1

    Author Comment

    In the ValidatingPassword  event, args.Password property returns unhashed-new-password.
    In the history table old passwords are stored in the hashed format.
    How do I compare these ?
    LVL 9

    Expert Comment

    The membership provider does some funky stuff in the hashing procedure. Please test attached code and see if it works, really not sure here. You need to store the salt used for hashing the individual passwords,retrieve and pass it to the method below. Do this for every password stored in your history.

    Another approach would be to not store the membership provider hash in the history but a hash generated by you that is more easily to reconstruct. But before you do that make sure you evaluate the security implications.

    public static bool ComparePasswordHashes(string newPassword, string saltValue, string oldPasswordHash)
      byte[] saltValueBytes = System.Convert.FromBase64String(saltValue);
      byte[] plainTextBytes = System.Text.Encoding.Unicode.GetBytes(newPassword);
      byte[] saltValueBytesWithPlainTextBytes = new byte[saltValueBytes.Length + plainTextBytes.Length];
      System.Buffer.BlockCopy(saltValueBytes, 0, saltValueBytesWithPlainTextBytes, 0, saltValueBytes.Length);  
      System.Buffer.BlockCopy(plainTextBytes, 0, saltValueBytesWithPlainTextBytes, saltValueBytes.Length, plainTextBytes.Length);
      byte[] hashBytes = new System.Security.Cryptography.SHA1CryptoServiceProvider().ComputeHash(saltValueBytesWithPlainTextBytes);
      string computedHash = Convert.ToBase64String(hashBytes);
      if (computedHash == oldPasswordHash)
        return true;
        return false;

    Open in new window

    LVL 1

    Author Comment

    To avoid all this conversion (Hashing the password) I decided to do following (let the provider Hash the password and I deal with hashed passwords only).

    * I created a table called "Password History" to store current and past password Hashes for each user.
    * I modified the "aspnet_Membership_SetPassword" to do 2 things.
              1) Check the "Password History" table for matching Password Hash, if found return failure, do not Set the new password.
              2) If the password is not a repeat, store the password hash in a "Password History" table for future comparision, return success.

    It seem to be working fine.  
    Any comments / suggestions on this.
    I will wait for your comments before closing the question.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
    ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now