Solved

Changing ASP.Memberships encryption

Posted on 2013-05-28
7
236 Views
Last Modified: 2013-05-31
I have a web site that is using the asp memberships provider.  I have been using this for years, and have always had it setup with password encryption.  But now I need to do 1 of 2 things, either remove the encrtyption so that I can send the password to the user if need be, or 2 be able to send them a password that is not so difficult type, unlike the what is sent automatically with the memberships provider.   So can I keep all the users and profiles I have and remove the encryption from the passwords, or can I change how a password is sent to the user when one is requested.

thanks
0
Comment
Question by:mgmhicks
  • 3
  • 3
7 Comments
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 39203786
#1: Is this .net or classic asp?
#2: Removing the encryption, will not reveal the password, if it is md5 or other.
#3: You can create a script that will allow the user to create their own password.
This is something that we use on all our sites, however, it is classic asp.
The user click on a link, they type in their email address.
The system sends them an email with instructions to reset their password.
Click on the link in the email, and answer some security questions, and type in a new password...

This is the best way to do it.
If you are using .net, then maybe someone else can assist you in achieving something like this setup.

Have a good one.
Carrzkiss
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206477
if you want to store the password with plain text you can change the attribute passwordFormat to "Clear" in your membership provider configuration.
0
 

Author Comment

by:mgmhicks
ID: 39206583
Thanks for the comment Jorge_toriz, but what will be come of the encrypted passwords that are already there?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206721
If you have the "Hash" password mode, you won't be able to recover that passwords because Hash encryption is a one-way algorithm, but you can change for "Clear" and then reset all that passwords and send the information to your current users.

If the problem is the weird new passwords generated by the SqlMembershipProvider you can create your own interface that call the aspnet_Membership_ResetPassword stored procedure and create your own password.    I would prefer this second approach.
0
 

Author Comment

by:mgmhicks
ID: 39207568
thank you so much!  I like the 2nd idea,  so I need to override the resetpassword stored procedure.  Can you show me the code?

thanks
0
 
LVL 15

Accepted Solution

by:
jorge_toriz earned 500 total points
ID: 39208130
Well, I recommend to not override the stored procedure, I would create a "ResetPassword.aspx" web form to get the user email address and then call my own stored procedure that will call the aspnet_Membership_ResetPassword.

The custom stored procedure would be something like this:

CREATE PROC pMyResetPassword(
      @ApplicationName NVARCHAR(256),
      @UserName NVARCHAR(256),
      @NewPassword NVARCHAR(128),
      @MaxInavlidPasswordAttempts INT,
      @PasswordAttemptWindow INT,
      @PasswordSalt NVARCHAR(128),
      @PasswordFormat INT,
      @PasswordAnswer NVARCHAR(128)
)
AS
BEGIN
      DECLARE @CurrentTimeUtc DATETIME = GETUTCDATE()
      EXEC aspnet_Membership_ResetPassword @ApplicationName, @UserName, @NewPassword, @MaxInvalidPasswordAttempts,
            @PasswordAttemptWindow, @PasswordSalt, @CurrentTimeUtc, @PasswordFormat, @PasswordAnswer
END

And in .NET you must compute the password hash and convert it to base64 with a code like this:

public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
0
 

Author Closing Comment

by:mgmhicks
ID: 39211164
thanks again!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question