Solved

Changing ASP.Memberships encryption

Posted on 2013-05-28
7
231 Views
Last Modified: 2013-05-31
I have a web site that is using the asp memberships provider.  I have been using this for years, and have always had it setup with password encryption.  But now I need to do 1 of 2 things, either remove the encrtyption so that I can send the password to the user if need be, or 2 be able to send them a password that is not so difficult type, unlike the what is sent automatically with the memberships provider.   So can I keep all the users and profiles I have and remove the encryption from the passwords, or can I change how a password is sent to the user when one is requested.

thanks
0
Comment
Question by:mgmhicks
  • 3
  • 3
7 Comments
 
LVL 30

Expert Comment

by:Wayne Barron
ID: 39203786
#1: Is this .net or classic asp?
#2: Removing the encryption, will not reveal the password, if it is md5 or other.
#3: You can create a script that will allow the user to create their own password.
This is something that we use on all our sites, however, it is classic asp.
The user click on a link, they type in their email address.
The system sends them an email with instructions to reset their password.
Click on the link in the email, and answer some security questions, and type in a new password...

This is the best way to do it.
If you are using .net, then maybe someone else can assist you in achieving something like this setup.

Have a good one.
Carrzkiss
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206477
if you want to store the password with plain text you can change the attribute passwordFormat to "Clear" in your membership provider configuration.
0
 

Author Comment

by:mgmhicks
ID: 39206583
Thanks for the comment Jorge_toriz, but what will be come of the encrypted passwords that are already there?
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206721
If you have the "Hash" password mode, you won't be able to recover that passwords because Hash encryption is a one-way algorithm, but you can change for "Clear" and then reset all that passwords and send the information to your current users.

If the problem is the weird new passwords generated by the SqlMembershipProvider you can create your own interface that call the aspnet_Membership_ResetPassword stored procedure and create your own password.    I would prefer this second approach.
0
 

Author Comment

by:mgmhicks
ID: 39207568
thank you so much!  I like the 2nd idea,  so I need to override the resetpassword stored procedure.  Can you show me the code?

thanks
0
 
LVL 15

Accepted Solution

by:
jorge_toriz earned 500 total points
ID: 39208130
Well, I recommend to not override the stored procedure, I would create a "ResetPassword.aspx" web form to get the user email address and then call my own stored procedure that will call the aspnet_Membership_ResetPassword.

The custom stored procedure would be something like this:

CREATE PROC pMyResetPassword(
      @ApplicationName NVARCHAR(256),
      @UserName NVARCHAR(256),
      @NewPassword NVARCHAR(128),
      @MaxInavlidPasswordAttempts INT,
      @PasswordAttemptWindow INT,
      @PasswordSalt NVARCHAR(128),
      @PasswordFormat INT,
      @PasswordAnswer NVARCHAR(128)
)
AS
BEGIN
      DECLARE @CurrentTimeUtc DATETIME = GETUTCDATE()
      EXEC aspnet_Membership_ResetPassword @ApplicationName, @UserName, @NewPassword, @MaxInvalidPasswordAttempts,
            @PasswordAttemptWindow, @PasswordSalt, @CurrentTimeUtc, @PasswordFormat, @PasswordAnswer
END

And in .NET you must compute the password hash and convert it to base64 with a code like this:

public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
0
 

Author Closing Comment

by:mgmhicks
ID: 39211164
thanks again!
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
placing a checked in the checklistbox based on the value in database table. 3 19
jquery tab header text 1 22
Designing forms 3 16
Why "Mobile First"? 5 16
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to count occurrences of each item in an array.

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question