Hi, In my application, the password is encrypted and if the user forgets the password , there is no way to recover the password.Now we are cancelling that user account and creating a new one.Now i want a proper method to recover the password.The login is done using the Asp.net configuration tool.How can i recover my password using this?Is there any alternative option for this?How can i decrypt my password in the database?
The idea is that no one can decrypt the password (including the database owner). Normally you'd generate a new password & send that to the user as well as encrypting it & placing it into the database.
How do you encrypt your passwords? Is it a one way encryption and can be decrypted only with the right password? If so - game over.
You can change the encryption method so it can be decrypted using a key (which is not the password, it can be for example a combination of user's id, birthdate and a secret word he enters which is saved in the DB unencrypted).
Then, the password can be decrypted using the key and everyone will be happy.
As others have said, hopefully the password is one way encrypted in the database. One method that many sites use for recoverring a password is to generate a hash of the users primary username and email address. Have them provide this information and then hash it. If it matches, generate them a new random password, encrypt it and overwrite the old password. Email the user their new password to the email address they originally provided, and mark the row in the databae to force them to change it the next time the log in (usually done if the passwords are hand generated).
A few sites I know of allow you to recover your password, and I assume they use a reversible (i.e. symmetric) key algorithm for generating the password. In order to do this, and not have it available to the site owner, you need the user to provide two pieces of information (username and a salt only known to them) which are applied to secure the login information and can be used to recover it.
You can look at symmetric key cryptography on MSDN for more info. Really though, I recommend against using this technique, generating a new password is preferrable if possible.