Aspnet Retrive password C# 2.0
Dim password As String = Membership.Provider.GetPassword(userName, String.Empty)
Asp.Net Membership Password Administration The Asp.net membership provider was designed to allow for self-service password management but through an understanding of the configuration options as well as a combined use certain provider methods, web site administrators can effectively manage member passwords. This article briefly summarizes the various settings and methods which can be combined to administratively manage passwords in an Asp.Net membership system based on the default SQLMembershipProvider.
The following (web.config) configuration options define how the AspNetSqlMembershipProvider behaves:
enablePasswordRetrieval – Enables/disables the membership provider’s GetPassword method. Note that GetPassword will always throw an exception if the user’s password is hashed. Default value is false. Requires the password answer unless “requiresQuestionAndAnswer” in web.config is set to false.
enablePasswordReset – Enables/disables the membership provider’s ResetPassword method, which can be used to produce a randomly generated password. Default value is true. ResetPassword requires the user’s passwordAnswer unless “requiresQuestionAndAnswer” in web.config is set to false.
requiresQuestionAndAnswer – Alters the behavior of the GetPassword and ResetPassword methods to require or not require the password answer parameter. Default value is true. This method is the key for administrative management of passwords since, by turning it off, administrators can retrieve or reset passwords.
passwordFormat – Defines how passwords will be stored when membership records are created. Note that once a membership record has been created, functions such as ChangePassword and ResetPassword will continue to store the credentials in the original passwordFormat, even if web.config is changed to use a different password format.
Clear
the password and password answer are stored in clear text. The passwordSalt field (in the database) is left blank.
Encrypted
the password, password answer and passwordSalt are stored in an encrypted format within the database using the key information supplied in the machineKey element of web.config
Hashed
the password and password answer are hashed using a one-way hash algorithm and a randomly generated passwordSalt value.
Microsoft set the default value of passwordFormat to Hashed in order to promote their secure web initiative but for many applications, this level of security is overkill and can create inconveniences in managing passwords.
Given the above information, there are a number of approaches that can be taken to administratively manage membership passwords. Note that “administrative” management implies that the administrator does not know the member’s password or password answer.
Retrieving a member’s password
The GetPassword method may be used to retrieve a member’s password and, at first glance, appears to require the password answer. By setting “requiresQuestionAndAnswer” to false in web.config, the GetPassword method can be called with an empty password answer and therefore can be effectively used to administratively retrieve a member’s password. Note that “enablePasswordRetrieval” must be set to true in web.config to enable the GetPassword method:
If password is:
Clear text
Simply call the GetPassword method with the username and without the need for a password answer to retrieve the password
Encrypted
Simply call the GetPassword method with the username and without the need for a password answer to retrieve the password
Hashed
Not possible, however the password may be reset as described below.
In Visual Basic, you can call the shared GetPassword method as illustrated below. Note that the second parameter would be for the password answer if “requiresQuestionAndAnswer” were true in web.config.
Dim password As String = Membership.Provider.GetPassword(userName, String.Empty)
Resetting a member’s password
The ResetPassword method may be used to generate a new, randomly generated password and, at first glance, appears to require the user’s password answer. By setting “requiresQuestionAndAnswer” to false in web.config, the ResetPassword method can be called with an empty password answer to set a user’s password to some new randomly generated value. ResetPassword works with all password formats (clear, encrypted, hashed).
In Visual Basic, you can call the shared ResetPassword method as illustrated below. Note that you can pass Nothing for the second parameter, passwordAnswer.
Dim newPassword As String = Membership.Provider.ResetPassword(username, Nothing)
Changing a member’s password
In some organizations, a Customer Service department may wish to change a user’s password to a new known value, perhaps in response to a customer request. The ChangePassword method, which appears to handle this need, unfortunately requires the original user password which is usually unavailable to the site administrator. By setting “requiresQuestionAndAnswer” to false, “enablePasswordRetrieval” to true and “enablePasswordReset” to true in web.config, the ResetPassword and ChangePassword methods can be used to change a user’s password to a known value, regardless of the password format:
Clear text
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePassword to set the password to a desired value.
Encrypted
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePassword to set the password to a desired value
Hashed
Call the ResetPassword method with the username and without the need for a password answer to reset the password to a new random value. Using the newly generated password, call ChangePassword to set the password to a desired value
Changing a member’s Password Question and Password Answer
In some situations, the Customer Service department may wish to modify a member’s Password Question and Password Answer. This is easily accomplished if passwords are encrypted or maintained in clear text. For hashed passwords, however, a password-reset is also required since the provider method, ChangePasswordQuestionAndAnswer, requires the member’s password which is not retrievable. By setting “requiresQuestionAndAnswer” to false, “enablePasswordRetrieval” to true and “enablePasswordReset” to true in web.config, the member’s Password Question and Password Answer may be reset:
Clear text
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value.
Encrypted
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value.
Hashed
Call the ResetPassword method with the username and without the need for a password answer to reset the password to a new random value. Using the newly generated password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value. Optionally call ChangePassword to set the password to a more user-friendly value.
Changing the password format
As web sites mature, website administrators sometimes regret their original (sometimes unintended) choice in passwordFormat when using the AspNetSqlMembershipProvider. That is, membership passwords may be clear text when a hashed format is desired or vice versa. Microsoft’s decision to implement hashing in the default AspNetSqlMembershipProvider was wise and conservative but for many web sites with minimal security requirements, the password system can become cumbersome. By directly calling a couple of the AspNet stored procedures, it is possible to change the password format:
Note: If the passwordFormat is initially “Clear” or “Encrypted”, use the membership.provider.GetPassword method to cache the original password before calling the stored procedures.
1. Use the stored procedure aspnet Membership GetPasswordWithFormat to retrieve the current passwordSalt.
2. Use the stored procedure aspnet Membership ResetPassword to set the passwordFormat to its intended (integer) value. The stored procedure requires readily available parameter values including passwordSalt (retrieved earlier), password (empty string) and passwordAnswer (Null).
At this point, the membership record has been placed into an initialized (unusable) state and the PasswordAnswer has been lost. If the original password was hashed, then it too will be unrecoverable. The provider methods listed below and described in previous sections allow for resetting the credentials and, as they are used, the password and password answer will be stored in the new password format (clear, encrypted, hashed.)
1. Call the ResetPassword method to generate and retrieve a new random Password. Remember that the second parameter (answer) is not required if “requiresQuestionAndAnswer” is set to false in web.config.
2. Call the ChangePassword method, using the now-current password retrieved in the previous step, to set the password to a desired value. If the original password was saved at the start of the procedure, it may be restored at this point.
For originally un-hashed passwords, the preceding steps allow for a change of passwordFormat with complete restoration of the original password.
The Password Answer could have easily been retrieved from the database at the outset if it was stored in clear text. In the case of an encrypted Password Answer, a more complicated approach which involves the provider’s protected DecryptPassword method could have been used to cache the original Password Answer. If the original Password Answer were available, it could be restored with a call to the ChangePasswordQuestionAndAnswer provider method.
So, what can be done if the Password and/or Password Answer had to be sacrificed in favor of a new passwordFormat? One solution might be to reset everyone’s credentials then send them by Email. Another solution might be to place a notice onto the web site that informs users and provides further instructions. Either way, the web site should leverage the self-service membership controls which allow the member to reset his/her own credentials. The following outlines a series of steps that can be taken:
1. A new arbitrary password can be assigned using either the ResetPassword or ChangePassword provider method. Similarly, a new arbitrary Password Question and Password Answer can be assigned using the ChangePasswordQuestionAndAnswer provider method.
2. Since the user will not know his/her new credentials, ensure the Login Control includes the necessary properties (PasswordRecoveryText and PasswordRecoveryURL) to link the user to a page that includes a PasswordRecovery Control.
3. Recall that the PasswordRecovery Control is driven by the provider settings in web.config. In particular, ensure that “requiresQuestionAndAnswer” is set to false so the PasswordRecovery Control does not prompt the user for a Password Answer. Also, ensure that the SMTP setting is specified in web.config so that the Email will be sent. If the membership record uses a hashed password format then a new (random) password will be sent, otherwise the password you assigned in the previous step will be sent.
Asp.Net Membership Password Administration The Asp.net membership provider was designed to allow for self-service password management but through an understanding of the configuration options as well as a combined use certain provider methods, web site administrators can effectively manage member passwords. This article briefly summarizes the various settings and methods which can be combined to administratively manage passwords in an Asp.Net membership system based on the default SQLMembershipProvider.
The following (web.config) configuration options define how the AspNetSqlMembershipProvider behaves:
enablePasswordRetrieval – Enables/disables the membership provider’s GetPassword method. Note that GetPassword will always throw an exception if the user’s password is hashed. Default value is false. Requires the password answer unless “requiresQuestionAndAnswer” in web.config is set to false.
enablePasswordReset – Enables/disables the membership provider’s ResetPassword method, which can be used to produce a randomly generated password. Default value is true. ResetPassword requires the user’s passwordAnswer unless “requiresQuestionAndAnswer” in web.config is set to false.
requiresQuestionAndAnswer – Alters the behavior of the GetPassword and ResetPassword methods to require or not require the password answer parameter. Default value is true. This method is the key for administrative management of passwords since, by turning it off, administrators can retrieve or reset passwords.
passwordFormat – Defines how passwords will be stored when membership records are created. Note that once a membership record has been created, functions such as ChangePassword and ResetPassword will continue to store the credentials in the original passwordFormat, even if web.config is changed to use a different password format.
Clear
the password and password answer are stored in clear text. The passwordSalt field (in the database) is left blank.
Encrypted
the password, password answer and passwordSalt are stored in an encrypted format within the database using the key information supplied in the machineKey element of web.config
Hashed
the password and password answer are hashed using a one-way hash algorithm and a randomly generated passwordSalt value.
Microsoft set the default value of passwordFormat to Hashed in order to promote their secure web initiative but for many applications, this level of security is overkill and can create inconveniences in managing passwords.
Given the above information, there are a number of approaches that can be taken to administratively manage membership passwords. Note that “administrative” management implies that the administrator does not know the member’s password or password answer.
Retrieving a member’s password
The GetPassword method may be used to retrieve a member’s password and, at first glance, appears to require the password answer. By setting “requiresQuestionAndAnswer” to false in web.config, the GetPassword method can be called with an empty password answer and therefore can be effectively used to administratively retrieve a member’s password. Note that “enablePasswordRetrieval” must be set to true in web.config to enable the GetPassword method:
If password is:
Clear text
Simply call the GetPassword method with the username and without the need for a password answer to retrieve the password
Encrypted
Simply call the GetPassword method with the username and without the need for a password answer to retrieve the password
Hashed
Not possible, however the password may be reset as described below.
In Visual Basic, you can call the shared GetPassword method as illustrated below. Note that the second parameter would be for the password answer if “requiresQuestionAndAnswer” were true in web.config.
Dim password As String = Membership.Provider.GetPassword(userName, String.Empty)
Resetting a member’s password
The ResetPassword method may be used to generate a new, randomly generated password and, at first glance, appears to require the user’s password answer. By setting “requiresQuestionAndAnswer” to false in web.config, the ResetPassword method can be called with an empty password answer to set a user’s password to some new randomly generated value. ResetPassword works with all password formats (clear, encrypted, hashed).
In Visual Basic, you can call the shared ResetPassword method as illustrated below. Note that you can pass Nothing for the second parameter, passwordAnswer.
Dim newPassword As String = Membership.Provider.ResetPassword(username, Nothing)
Changing a member’s password
In some organizations, a Customer Service department may wish to change a user’s password to a new known value, perhaps in response to a customer request. The ChangePassword method, which appears to handle this need, unfortunately requires the original user password which is usually unavailable to the site administrator. By setting “requiresQuestionAndAnswer” to false, “enablePasswordRetrieval” to true and “enablePasswordReset” to true in web.config, the ResetPassword and ChangePassword methods can be used to change a user’s password to a known value, regardless of the password format:
Clear text
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePassword to set the password to a desired value.
Encrypted
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePassword to set the password to a desired value
Hashed
Call the ResetPassword method with the username and without the need for a password answer to reset the password to a new random value. Using the newly generated password, call ChangePassword to set the password to a desired value
Changing a member’s Password Question and Password Answer
In some situations, the Customer Service department may wish to modify a member’s Password Question and Password Answer. This is easily accomplished if passwords are encrypted or maintained in clear text. For hashed passwords, however, a password-reset is also required since the provider method, ChangePasswordQuestionAndAnswer, requires the member’s password which is not retrievable. By setting “requiresQuestionAndAnswer” to false, “enablePasswordRetrieval” to true and “enablePasswordReset” to true in web.config, the member’s Password Question and Password Answer may be reset:
Clear text
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value.
Encrypted
Call the GetPassword method with the username and without the need for a password answer to retrieve the password. Now, armed with the password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value.
Hashed
Call the ResetPassword method with the username and without the need for a password answer to reset the password to a new random value. Using the newly generated password, call ChangePasswordQuestionAndAnswer to set the Password Question and Password Answer to a desired value. Optionally call ChangePassword to set the password to a more user-friendly value.
Changing the password format
As web sites mature, website administrators sometimes regret their original (sometimes unintended) choice in passwordFormat when using the AspNetSqlMembershipProvider. That is, membership passwords may be clear text when a hashed format is desired or vice versa. Microsoft’s decision to implement hashing in the default AspNetSqlMembershipProvider was wise and conservative but for many web sites with minimal security requirements, the password system can become cumbersome. By directly calling a couple of the AspNet stored procedures, it is possible to change the password format:
Note: If the passwordFormat is initially “Clear” or “Encrypted”, use the membership.provider.GetPassword method to cache the original password before calling the stored procedures.
1. Use the stored procedure aspnet Membership GetPasswordWithFormat to retrieve the current passwordSalt.
2. Use the stored procedure aspnet Membership ResetPassword to set the passwordFormat to its intended (integer) value. The stored procedure requires readily available parameter values including passwordSalt (retrieved earlier), password (empty string) and passwordAnswer (Null).
At this point, the membership record has been placed into an initialized (unusable) state and the PasswordAnswer has been lost. If the original password was hashed, then it too will be unrecoverable. The provider methods listed below and described in previous sections allow for resetting the credentials and, as they are used, the password and password answer will be stored in the new password format (clear, encrypted, hashed.)
1. Call the ResetPassword method to generate and retrieve a new random Password. Remember that the second parameter (answer) is not required if “requiresQuestionAndAnswer” is set to false in web.config.
2. Call the ChangePassword method, using the now-current password retrieved in the previous step, to set the password to a desired value. If the original password was saved at the start of the procedure, it may be restored at this point.
For originally un-hashed passwords, the preceding steps allow for a change of passwordFormat with complete restoration of the original password.
The Password Answer could have easily been retrieved from the database at the outset if it was stored in clear text. In the case of an encrypted Password Answer, a more complicated approach which involves the provider’s protected DecryptPassword method could have been used to cache the original Password Answer. If the original Password Answer were available, it could be restored with a call to the ChangePasswordQuestionAndAnswer provider method.
So, what can be done if the Password and/or Password Answer had to be sacrificed in favor of a new passwordFormat? One solution might be to reset everyone’s credentials then send them by Email. Another solution might be to place a notice onto the web site that informs users and provides further instructions. Either way, the web site should leverage the self-service membership controls which allow the member to reset his/her own credentials. The following outlines a series of steps that can be taken:
1. A new arbitrary password can be assigned using either the ResetPassword or ChangePassword provider method. Similarly, a new arbitrary Password Question and Password Answer can be assigned using the ChangePasswordQuestionAndAnswer provider method.
2. Since the user will not know his/her new credentials, ensure the Login Control includes the necessary properties (PasswordRecoveryText and PasswordRecoveryURL) to link the user to a page that includes a PasswordRecovery Control.
3. Recall that the PasswordRecovery Control is driven by the provider settings in web.config. In particular, ensure that “requiresQuestionAndAnswer” is set to false so the PasswordRecovery Control does not prompt the user for a Password Answer. Also, ensure that the SMTP setting is specified in web.config so that the Email will be sent. If the membership record uses a hashed password format then a new (random) password will be sent, otherwise the password you assigned in the previous step will be sent.
Comments
Post a Comment