?
Solved

Changing ASP.Memberships encryption

Posted on 2013-05-28
7
Medium Priority
?
276 Views
Last Modified: 2013-05-31
I have a web site that is using the asp memberships provider.  I have been using this for years, and have always had it setup with password encryption.  But now I need to do 1 of 2 things, either remove the encrtyption so that I can send the password to the user if need be, or 2 be able to send them a password that is not so difficult type, unlike the what is sent automatically with the memberships provider.   So can I keep all the users and profiles I have and remove the encryption from the passwords, or can I change how a password is sent to the user when one is requested.

thanks
0
Comment
Question by:mgmhicks
  • 3
  • 3
7 Comments
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 39203786
#1: Is this .net or classic asp?
#2: Removing the encryption, will not reveal the password, if it is md5 or other.
#3: You can create a script that will allow the user to create their own password.
This is something that we use on all our sites, however, it is classic asp.
The user click on a link, they type in their email address.
The system sends them an email with instructions to reset their password.
Click on the link in the email, and answer some security questions, and type in a new password...

This is the best way to do it.
If you are using .net, then maybe someone else can assist you in achieving something like this setup.

Have a good one.
Carrzkiss
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206477
if you want to store the password with plain text you can change the attribute passwordFormat to "Clear" in your membership provider configuration.
0
 

Author Comment

by:mgmhicks
ID: 39206583
Thanks for the comment Jorge_toriz, but what will be come of the encrypted passwords that are already there?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206721
If you have the "Hash" password mode, you won't be able to recover that passwords because Hash encryption is a one-way algorithm, but you can change for "Clear" and then reset all that passwords and send the information to your current users.

If the problem is the weird new passwords generated by the SqlMembershipProvider you can create your own interface that call the aspnet_Membership_ResetPassword stored procedure and create your own password.    I would prefer this second approach.
0
 

Author Comment

by:mgmhicks
ID: 39207568
thank you so much!  I like the 2nd idea,  so I need to override the resetpassword stored procedure.  Can you show me the code?

thanks
0
 
LVL 15

Accepted Solution

by:
jorge_toriz earned 2000 total points
ID: 39208130
Well, I recommend to not override the stored procedure, I would create a "ResetPassword.aspx" web form to get the user email address and then call my own stored procedure that will call the aspnet_Membership_ResetPassword.

The custom stored procedure would be something like this:

CREATE PROC pMyResetPassword(
      @ApplicationName NVARCHAR(256),
      @UserName NVARCHAR(256),
      @NewPassword NVARCHAR(128),
      @MaxInavlidPasswordAttempts INT,
      @PasswordAttemptWindow INT,
      @PasswordSalt NVARCHAR(128),
      @PasswordFormat INT,
      @PasswordAnswer NVARCHAR(128)
)
AS
BEGIN
      DECLARE @CurrentTimeUtc DATETIME = GETUTCDATE()
      EXEC aspnet_Membership_ResetPassword @ApplicationName, @UserName, @NewPassword, @MaxInvalidPasswordAttempts,
            @PasswordAttemptWindow, @PasswordSalt, @CurrentTimeUtc, @PasswordFormat, @PasswordAnswer
END

And in .NET you must compute the password hash and convert it to base64 with a code like this:

public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
0
 

Author Closing Comment

by:mgmhicks
ID: 39211164
thanks again!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Simulator games are perfect for generating sample realistic data streams, especially for learning data analysis. It is even useful for demoing offerings such as Azure stream analytics, PowerBI etc.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question