Salt & Un-Salt password Value to HiddenField

Hello Experts,

Please see my attached Login and Forgot Password Code below. I need to give users the ability to retrieve their password if they forget it by entering their username and if the username is in the system it will send an email with their password using the usernames email that they entered when they created their account.

Please note: Login CodeBehind works fine. Also, I was able to get the code to work by modifying the original Login code for the Password Retrieveal and when I try to retrieve the password I get the password which is not decrypted or un-salted.
LOGIN CODEBEHIND:

using System;
using System.Configuration;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Net.Mail;
using System.Net.NetworkInformation;
using System.Security.Cryptography;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;

public partial class programinfo_ghap_login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void btn_ProgramInfoSignIn_Click(object sender, EventArgs e)
    {
        //Retrieve the guid from db
        string guid = String.Empty;

        using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HealthCourses"].ConnectionString))
        {
            SqlCommand cmd = new SqlCommand();
            cmd.CommandText = "HealthCourses_LoginPassSalt";
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.Connection = conn;

            cmd.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUserName.Text;

            DataTable dtGuid = new DataTable();

            SqlDataAdapter adp = new SqlDataAdapter();
            adp.SelectCommand = cmd;
            adp.Fill(dtGuid);

            if (dtGuid != null && dtGuid.Rows.Count > 0)
            {
                guid = dtGuid.Rows[0]["users_password_salt"].ToString();

                SqlCommand cmdClientLogin = new SqlCommand();
                cmdClientLogin.CommandText = "HealthCourses_Login";
                cmdClientLogin.CommandType = CommandType.StoredProcedure;
                cmdClientLogin.Connection = conn;

                cmdClientLogin.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUserName.Text;
                cmdClientLogin.Parameters.AddWithValue("@users_password", SqlDbType.VarChar).Value = SHA512_HASH.ComputeSHA512Hash(txtPassword.Text + guid);

                conn.Open();

                SqlDataReader rdr = cmdClientLogin.ExecuteReader();

                if (rdr.HasRows && rdr.Read())
                {
                    rdr.Close();
                    conn.Close();
                    Session["UserNameSessionID"] = txtUserName.Text;
                    FormsAuthentication.RedirectFromLoginPage(txtPassword.Text, false);
                }
            }

            else
            {
                lblSignInError.Text = "Invalid Credentials!";
            }
        }
    }
}



LOGIN STORED PROCEDURES:

ALTER PROCEDURE [dbo].[HealthCourses_LoginPassSalt]

(
@users_username varchar(50)
)

AS

SELECT users_username, users_password_salt 
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username


ALTER PROCEDURE [dbo].[HealthCourses_Login]

(
@users_username varchar(50),
@users_password varchar(50)
)

AS

SELECT users_password
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username AND users_password = @users_password

Open in new window

RETRIEVE PASSWORD CODEBEHIND:

using System;
using System.Configuration;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.IO;
using System.Net.Mail;
using System.Net.NetworkInformation;
using System.Security.Cryptography;
using System.Text;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;

public partial class programinfo_ghap_forgotpassword : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void btn_ForgotPassword_Click(object sender, EventArgs e)
    {
        string guid = String.Empty;

        using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HealthCourses"].ConnectionString))
        {
            SqlCommand cmd = new SqlCommand();
            cmd.CommandText = "HealthCourses_LoginPassSalt";
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.Connection = conn;

            cmd.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUsername.Text;

            DataTable dtGuid = new DataTable();

            SqlDataAdapter adp = new SqlDataAdapter();
            adp.SelectCommand = cmd;
            adp.Fill(dtGuid);

            if (dtGuid != null && dtGuid.Rows.Count > 0)
            {
                guid = dtGuid.Rows[0]["users_password_salt"].ToString();

                SqlCommand cmdClientLogin = new SqlCommand();
                cmdClientLogin.CommandText = "HealthCourses_Login2";
                cmdClientLogin.CommandType = CommandType.StoredProcedure;
                cmdClientLogin.Connection = conn;

                cmdClientLogin.Parameters.AddWithValue("@users_username", SqlDbType.VarChar).Value = txtUsername.Text;
                // cmdClientLogin.Parameters.AddWithValue("@users_password", SqlDbType.VarChar).Value = SHA512_HASH.ComputeSHA512Hash(hf_password.Value + guid);

                conn.Open();

                SqlDataReader rdr = cmdClientLogin.ExecuteReader();

                if (rdr.HasRows && rdr.Read())
                {
                    hf_email.Value = rdr["users_email"].ToString();
                    hf_password.Value = rdr["users_password"].ToString() + guid;


                    SmtpClient smtpClient = new SmtpClient();
                    MailMessage message = new MailMessage();

                    // Prepare email address
                    MailAddress fromAddress = new MailAddress("bpsupport@nndsonline.org", "BP Support");
                    MailAddress toAddress = new MailAddress(HttpUtility.HtmlEncode(hf_email.Value));
                    //MailAddress toAddress = new MailAddress("bpsupport@nndsonline.org", "BP Support");
                    //Dim ccAddress As New MailAddress("first.last@nndsonline.org", "First Last")
                    message.From = fromAddress;
                    message.To.Add(toAddress);
                    //message.CC.Add(ccAddress)
                    //message.Subject = HttpUtility.HtmlEncode(txtYourEmail.Text);
                    message.Subject = "Retrieve Password";
                    message.IsBodyHtml = true;
                    message.Body = "<html><head><title>" + "</title></head><body>" + "<p>" + "<span style=\"font-size: 16px; color: #780028; font-family: Arial\"><p><b>Password Retrieve:</b></p></span>" + "<br />" + "<span style=\"font-size: 14px; color: #780028; font-family: Arial\"><b>Organization Name:&nbsp;</b><font face='arial' color='#666666'>" + HttpUtility.HtmlEncode(hf_password.Value) + "</body></html>";

                    smtpClient.Host = "mail.nndsonline.org";
                    smtpClient.Send(message);

                    rdr.Close();
                    conn.Close();
                }
            }

            else
            {
                lblUsernameError.Text = "Invalid Credentials!";
            }
        }
    }
}




RETRIEVE PASSWORD STORED PROCEDURES:

ALTER PROCEDURE [dbo].[HealthCourses_LoginPassSalt]

(
@users_username varchar(50)
)

AS

SELECT users_username, users_password_salt 
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username


ALTER PROCEDURE [dbo].[HealthCourses_Login2]

(
@users_username varchar(50)
)

AS

SELECT users_password, users_email
FROM dbo.HealthCourses_Users
WHERE users_username = @users_username

Open in new window

LVL 4
asp_net2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strickddCommented:
Instead of encrypting passwords, it is usually best to Hash your passwords. This provides a much more secure way to store passwords since they are one-way. This would entail a few changes, but offer much more security.

Instead of decrypting the stored password and comparing it to the login password, you hash the login password and compare it to the stored hash value (a SALT can still be used).

A password can never be recovered, therefor your forgot password link would allow the user to reset the password and not actually see what it was.

If you want to continue with this code, then when you retrieve the stored password value - salted and encrypted - you will need to perform a decrypt with the given salt. Also, make sure you never display the GUID for a user ANYWHERE in your application since it is being used as the salt.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asp_net2Author Commented:
Hi strickdd,

Sorry, I believe that I'm already storing the password as a hash. Would you be able to help me with my code in regards to retrieving the password and then decrypt it using the salt value?

Also not sure what you mean by never display the guid in the application. Could you explain further or correct it in my code?
0
asp_net2Author Commented:
Expert never came back to assist.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.