Solved

Changing ASP.Memberships encryption

Posted on 2013-05-28
7
216 Views
Last Modified: 2013-05-31
I have a web site that is using the asp memberships provider.  I have been using this for years, and have always had it setup with password encryption.  But now I need to do 1 of 2 things, either remove the encrtyption so that I can send the password to the user if need be, or 2 be able to send them a password that is not so difficult type, unlike the what is sent automatically with the memberships provider.   So can I keep all the users and profiles I have and remove the encryption from the passwords, or can I change how a password is sent to the user when one is requested.

thanks
0
Comment
Question by:mgmhicks
  • 3
  • 3
7 Comments
 
LVL 30

Expert Comment

by:Wayne Barron
ID: 39203786
#1: Is this .net or classic asp?
#2: Removing the encryption, will not reveal the password, if it is md5 or other.
#3: You can create a script that will allow the user to create their own password.
This is something that we use on all our sites, however, it is classic asp.
The user click on a link, they type in their email address.
The system sends them an email with instructions to reset their password.
Click on the link in the email, and answer some security questions, and type in a new password...

This is the best way to do it.
If you are using .net, then maybe someone else can assist you in achieving something like this setup.

Have a good one.
Carrzkiss
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206477
if you want to store the password with plain text you can change the attribute passwordFormat to "Clear" in your membership provider configuration.
0
 

Author Comment

by:mgmhicks
ID: 39206583
Thanks for the comment Jorge_toriz, but what will be come of the encrypted passwords that are already there?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206721
If you have the "Hash" password mode, you won't be able to recover that passwords because Hash encryption is a one-way algorithm, but you can change for "Clear" and then reset all that passwords and send the information to your current users.

If the problem is the weird new passwords generated by the SqlMembershipProvider you can create your own interface that call the aspnet_Membership_ResetPassword stored procedure and create your own password.    I would prefer this second approach.
0
 

Author Comment

by:mgmhicks
ID: 39207568
thank you so much!  I like the 2nd idea,  so I need to override the resetpassword stored procedure.  Can you show me the code?

thanks
0
 
LVL 15

Accepted Solution

by:
jorge_toriz earned 500 total points
ID: 39208130
Well, I recommend to not override the stored procedure, I would create a "ResetPassword.aspx" web form to get the user email address and then call my own stored procedure that will call the aspnet_Membership_ResetPassword.

The custom stored procedure would be something like this:

CREATE PROC pMyResetPassword(
      @ApplicationName NVARCHAR(256),
      @UserName NVARCHAR(256),
      @NewPassword NVARCHAR(128),
      @MaxInavlidPasswordAttempts INT,
      @PasswordAttemptWindow INT,
      @PasswordSalt NVARCHAR(128),
      @PasswordFormat INT,
      @PasswordAnswer NVARCHAR(128)
)
AS
BEGIN
      DECLARE @CurrentTimeUtc DATETIME = GETUTCDATE()
      EXEC aspnet_Membership_ResetPassword @ApplicationName, @UserName, @NewPassword, @MaxInvalidPasswordAttempts,
            @PasswordAttemptWindow, @PasswordSalt, @CurrentTimeUtc, @PasswordFormat, @PasswordAnswer
END

And in .NET you must compute the password hash and convert it to base64 with a code like this:

public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
0
 

Author Closing Comment

by:mgmhicks
ID: 39211164
thanks again!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Any business that wants to seriously grow needs to keep the needs and desires of an international audience of their websites in mind. Making a website friendly to international users isn’t prohibitively expensive and can provide an incredible return…
This video teaches users how to migrate an existing Wordpress website to a new domain.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now