How? Encrypt and Decrypt user membership passwords in ASP.NET

asp.netasp.net-membershipencryption

We are creating a new site using ASP.NET membership provider for user registration and log in. Our old system encrypted user passwords so that we could recover them if we needed to.

I am having a great deal of trouble figuring out if it is possible to use ASP.NET membership functions to simply encrypt the password when the user registers and then unencrypt it so I can see it.

Documentation for this is neigh non-existant.

I know how to configure Web.config to have it store passwords as encrypted ala
passwordFormat="Encrypted" in the provider and assigning a validationKey in the machineKey, however it seems like the password still gets hashed (though perhaps it is just well encrypted). Either way I cannot decifer how the password can be recovered (by us) if neccessary.

Thanks!

Best Answer

Storing passwords in recoverable format is a very poor idea. If you can recover them so can anyone who breaks into your server.

You're better off using a standard hash+salt approach and having a password reset mechanism to handle the case where users forget their password.

Related Solutions

Encrypt passwords in ASP.NET membership provider DB

When you say you want to encrypt these passwords by still preserving the individual passwords, I'm assuming you mean that you don't want to have the user's passwords be changed.

I would suggest you do a test run on this (I'm sure you would anyways).

Reference this post for the internals of how the SHA1 hashing works. How to create a asp.net membership provider hashed password manually?

Create a small app to connect to the database and hash all the passwords.
Update the config for your application to Hash the passwords (remove the "Clear" directive as hashing is the default.

Decrypting an ‘Encrypted’ password from ASP.NET 2.0 Membership

Create a class that inherits from SqlMembershipProvider and in it you can call the decrypt.

All the code you need for this can be found in this article by Naveen Kohli:

After looking through the code in reflector, I saw that Microsoft providers decrypts in two steps. The encrypted password is actually a Base64 conversion of encrypted data. So first it converts it back from Base64 and then calls DecryptPassword method. I just did the easiest thing. Copied the code from Microsoft implementation, removed all the checks it was doing and then used it. Following class is an example of a class derived form SqlMembershipProvider with a method that just returns me password in clear text for a given encrypted password.
namespace MembershipPasswordRecover
{
    public class NetFourMembershipProvider : SqlMembershipProvider
    {
        public string GetClearTextPassword(string encryptedPwd)
        {
            byte[] encodedPassword = Convert.FromBase64String(encryptedPwd);
            byte[] bytes = this.DecryptPassword(encodedPassword);
            if (bytes == null)
            {
                return null;
            }
            return Encoding.Unicode.GetString(bytes, 0x10, bytes.Length - 0x10);

        }
    }
}

static void Main(string[] args)
{
    var passwordManager = new NetFourMembershipProvider();
    var clearPWd = passwordManager.GetClearTextPassword("encryptedpasswordhere");
    Console.WriteLine(clearPWd);
}

Best Answer

Related Solutions

Encrypt passwords in ASP.NET membership provider DB

Decrypting an ‘Encrypted’ password from ASP.NET 2.0 Membership

Related Topic