Solved

Changing ASP.Memberships encryption

Posted on 2013-05-28
7
225 Views
Last Modified: 2013-05-31
I have a web site that is using the asp memberships provider.  I have been using this for years, and have always had it setup with password encryption.  But now I need to do 1 of 2 things, either remove the encrtyption so that I can send the password to the user if need be, or 2 be able to send them a password that is not so difficult type, unlike the what is sent automatically with the memberships provider.   So can I keep all the users and profiles I have and remove the encryption from the passwords, or can I change how a password is sent to the user when one is requested.

thanks
0
Comment
Question by:mgmhicks
  • 3
  • 3
7 Comments
 
LVL 30

Expert Comment

by:Wayne Barron
ID: 39203786
#1: Is this .net or classic asp?
#2: Removing the encryption, will not reveal the password, if it is md5 or other.
#3: You can create a script that will allow the user to create their own password.
This is something that we use on all our sites, however, it is classic asp.
The user click on a link, they type in their email address.
The system sends them an email with instructions to reset their password.
Click on the link in the email, and answer some security questions, and type in a new password...

This is the best way to do it.
If you are using .net, then maybe someone else can assist you in achieving something like this setup.

Have a good one.
Carrzkiss
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206477
if you want to store the password with plain text you can change the attribute passwordFormat to "Clear" in your membership provider configuration.
0
 

Author Comment

by:mgmhicks
ID: 39206583
Thanks for the comment Jorge_toriz, but what will be come of the encrypted passwords that are already there?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39206721
If you have the "Hash" password mode, you won't be able to recover that passwords because Hash encryption is a one-way algorithm, but you can change for "Clear" and then reset all that passwords and send the information to your current users.

If the problem is the weird new passwords generated by the SqlMembershipProvider you can create your own interface that call the aspnet_Membership_ResetPassword stored procedure and create your own password.    I would prefer this second approach.
0
 

Author Comment

by:mgmhicks
ID: 39207568
thank you so much!  I like the 2nd idea,  so I need to override the resetpassword stored procedure.  Can you show me the code?

thanks
0
 
LVL 15

Accepted Solution

by:
jorge_toriz earned 500 total points
ID: 39208130
Well, I recommend to not override the stored procedure, I would create a "ResetPassword.aspx" web form to get the user email address and then call my own stored procedure that will call the aspnet_Membership_ResetPassword.

The custom stored procedure would be something like this:

CREATE PROC pMyResetPassword(
      @ApplicationName NVARCHAR(256),
      @UserName NVARCHAR(256),
      @NewPassword NVARCHAR(128),
      @MaxInavlidPasswordAttempts INT,
      @PasswordAttemptWindow INT,
      @PasswordSalt NVARCHAR(128),
      @PasswordFormat INT,
      @PasswordAnswer NVARCHAR(128)
)
AS
BEGIN
      DECLARE @CurrentTimeUtc DATETIME = GETUTCDATE()
      EXEC aspnet_Membership_ResetPassword @ApplicationName, @UserName, @NewPassword, @MaxInvalidPasswordAttempts,
            @PasswordAttemptWindow, @PasswordSalt, @CurrentTimeUtc, @PasswordFormat, @PasswordAnswer
END

And in .NET you must compute the password hash and convert it to base64 with a code like this:

public string EncodePassword(string pass, string salt)
{
    byte[] bytes = Encoding.Unicode.GetBytes(pass);
    byte[] src = Encoding.Unicode.GetBytes(salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
    HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
    byte[] inArray = algorithm.ComputeHash(dst);
    return Convert.ToBase64String(inArray);
}
0
 

Author Closing Comment

by:mgmhicks
ID: 39211164
thanks again!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question