Could I get the decrypted password in membership from database???

Question

<add name="LDSAMembers" 
  type="System.Web.Security.SqlMembershipProvider" 
  connectionStringName="" 
  applicationName="" 
  requiresUniqueEmail="true" 
  passwordFormat="Encrypted" 
  minRequiredPasswordLength="6" 
  enablePasswordReset="true" 
  enablePasswordRetrieval="true" 
  maxInvalidPasswordAttempts="5" 
  passwordAttemptWindow="15" 
  requiresQuestionAndAnswer="false" 
  minRequiredNonalphanumericCharacters="0" />

i need decrypted password to login in the system.i find password and passwordsalt field in database

Answer 1

No. This is by design.

Answer 2

Typically systems like this are designed using one-way encryption to prevent exactly what you are trying to do. If you are working on the system, it is better to create your own account rather than use someone else's.

Answer 3

I see you have enablePasswordReset="true", so use the normal route.

Answer 4

Assuming that you actually have a real connection string configured (and not connectionStringName="" like in your example), you can just use this in your code

Membership.GetPassword(username, "");

There are a lot of exceptions that can be thrown by that method, for example if the password answer is actually set, or if the user is locked out. See here for more details:

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx

Answer 5

You will need the encrypted password, salt and the machineKey section from the machine that encrypted the password.

This section MUST be defined, which it is not by default, to support encryption. So, unless you are working on the server that encrypted the data, you will need to get the keys from that machine.

They can be defined anywhere in between the web.config of the app all the way down to the root web.config in c:\windows\microsoft.net

So - there is the key, so to speak.

If you have access to this section, DO NOT POST IT HERE, but do leave me a comment and we can talk about decrypting.

Answer 6

I used the above configuration in a scenario where it was appropriate (i.e. passwordFormat="Encrypted"). The following code was used to reset a user's password with a specified new password (as oppposed to generating a new password), so that the cs rep can ask the user for a new password while on the phone and change it for them, without knowing the old password.

A call to user.ChangePassword requires the current password to be passed:

MembershipUser user = Membership.GetUser(userId);
user.ChangePassword(user.GetPassword(), newpw);

user.Password() returns the current password in clear text.