tags:

views:

31

answers:

1
+1  Q: 

Can I force in a temporary password answer to asp.net membership?

We recently added the ability for clients to reset their own passwords using the security question. For new clients, this is fine, as we can set the security question and answer on account creation. For existing clients, this is an issue.

For clients who have forgotten their password, we e-mail them a temporary password, and then they login with that to reset their password. However, this method now breaks, because their password answer is null. I need to somehow force in a temporary password answer for asp.net membership to accept my temporary password. I looked in the aspnet_Membership table, and it was null for PasswordQuestion and PasswordAnswer. I tried setting the PasswordAnswer value to their current salted password, just to have a value there, but ASP.NET keeps telling me that password answer cannot be null.

Does anyone know of a work-around for this? How can we easily add in a temporary password answer? We can reset the security question and answer once we reset the password, as we know what the temporary password is, but we're in a catch-22 without being able to set the temporary password.

I know we could setup a different asp.net membership for them to be reset, but I don't want to do that, as we share methods, and that adds a lot more complexity. We just need a 1 time loading of some default value for the password answer. Any ideas?

Update: OK, I figured out that the issue was not having the value in the DB, but the value I was passing to the ResetPassword() method. It is looking for me to pass a value that matches what is stored in the DB. However, I can't produce that value, because it is generated from the saved password salt, and the entered password. I tried using a different users saved password as a test and it did not work.

+2  A: 

Hey,

What are you using to do this? You can easily do this by scripting it in the database through an update statement

update aspnet_membership set PasswordAnswer = Password

Additionally, if you wanted to get a common password answer, one thing I've done is in a test environment with the same algorighm/machine key, or on your prod environment, get an account to change the password answer to something you know (like yours), then copy that value into an update query like:

update aspnet_Membership set PasswordAnswer = '<the known v alue>'

since the answer is also encrypted.

Please be careful if you are doing this in a prod environment; I would highly suggest doing it in a test environment (as long as it has the same encryption key setup), testing the script there before deploying it.

HTH.

Brian  2010-06-24 16:08:57
I tried that first actually, just updating the aspnet_membership table with a value. It did not seem to care that a value was there, and still told me that password answer was null.
Noah  2010-06-24 16:20:55
Did you also set the question?
Greg  2010-06-24 16:33:40
Yes, set both values. Same result.
Noah  2010-06-24 16:39:51
Are you sure its using the same underlying key (same salt and maybe a <machineKey> entry affects this too, that I'm not sure on)? It might say that because it can't decrypt it... otherwise, try my other idea, set a known password answer for an existing user, and then copy this from the database record and update it with that.
Brian  2010-06-24 18:07:17
I tried using FormsAuthentication.HashPasswordForStoringInConfigFile to generate a new encrypted value using both SHA1 and MD5. I used just the password and with the salt appended to the end. None of them worked. I don't think this is going to work unfortunately!
Noah  2010-06-24 18:56:04
It's actually the SqlMembershipProvider class that you should be looking at; it has a method for doing the encryption... it would be a different algorithm. In my dev environment, I wanted to make all my passwords 'a', to make it easier to test, I disabled the security requirements temporarily, updated one user, then copied the password and passwordsalt and updated all the fields with this, and it worked... you may want to try that if you can.
Brian  2010-06-24 19:21:32

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords