tags:

views:

473

answers:

2
+1  Q: 

MembershipProvider and PasswordRecovery control

Hi,

I need help using the PasswordRecovery control in .net 2.0. My situation is the application has changed from storing the passwordformat in Hashed to Clear.

The problem is the newly created users have a clear password stored and there are still users with hashed passwords. When I use the passwordRecovery control as below for users who still have a hashed password, the 'PasswordFormat' field is NOT altered to 'clear' for those previous users with hashed passwords.

<asp:PasswordRecovery MailDefinition-BodyFileName="/mailTemplates/changePassword.htm" MailDefinition-From="[email protected]" MailDefinition-Subject="Test" CssClass="noLines" ID="PasswordRecovery1" UserNameTitleText="" UserNameInstructionText="Enter User name and a new passord will be generated and mailed to the user"  runat="server" SuccessText="Your password has been sent to your registered email address." SubmitButtonStyle-CssClass="button" 
    onsendingmail="PasswordRecovery1_SendingMail" MembershipProvider="AspNetSqlMembershipProviderF0005600">
    </asp:PasswordRecovery>

<membership>
  <providers>
    <remove name="AspNetSqlMembershipProviderF0005600"/>
    <add name="AspNetSqlMembershipProviderF0005600" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Clear" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
  </providers>
</membership>
+2  A: 

You cannot have multiple password storage scheme in MembershipProvider. You must reset the passwords to all users having hasehd password and send them a newly auto-generated password in their email with the username.

Either you must take all users' password to hasehd or to clear.

There must be uniform straegy for the password storage for MemberShipProviders.

this. __curious_geek  2009-07-01 13:10:06
Hi thanks very much for your answer. Is there Microsoft documentation that also states your assertion that all passwords must be either hashed, clear or encrypted?
 2009-07-01 13:17:07
I have not come across one yet and I dont think it might even exists. A provider will have its own single mechanism to read and write passwords. So if it configured to do it in hashed mode it wont match the clear mode. It's not about whther it can do it or not, merely by just being able to read-write from db does not serve the purpose becuase db does not know the format.
this. __curious_geek  2009-07-01 13:22:00
+1  A: 

this.__curious_geek is correct. You don't need Microsoft documentation to verify his assertion, it's inherent in the nature of hashed passwords. Once a password has been hashed it cannot be recovered. This is simply the nature of hashing--it's a one-way operation. If it was two-way, it would be encryption--not hashing.

Therefore, if you switch from hashed passwords to plain text, you must reset everybody's password who had their password hashed. There's no way to get their password back--they must be assigned a new password.

Joshua Beal  2009-12-08 13:21:48

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?