ASP.NET Membership Provider - Validate Hashed Security Question/Answer

Question

On a page I'm adding retrieve forgotten USERNAME

Step 1) Enter email address (Get account by email)

Step 2) Verify Security Question (they provide answer and I validate it)

Step 3) Send them an email with username

Step 2 is where I'm stuck. How do I validate the answer with what's stored in the database?

All values are hashed.

I see other questions posted similar to this but they don't answer the question, at least not clearly.

Answer 1

Like you said, the values in the DB are hashed, so in order to validate what the user typed in matches what's in the DB, hashed the value that the user entered and compare the two hashed values. If they are equal, it validates.

You basically need to hash the answer text before you compare it to the value in the database.

Also, be aware that sometimes the answer text is salted with a value before it is hashed, so the same steps would need to be taken when validating.

Answer 2

Looking at the provider, it does not expose any methods for you to perform your desired step two.

You will need to do the following.

1. Create a stored procedure that will retrieve results based on the email and answer.
2. As you mentioned since the answer is hashed, you will need to MD5 hash the user supplied values. (FormsAuthentication.HashPasswordForStoringInConfigFile would work for this)
3. Call your stored procedure with the needed parameters to validate that the users information matches.

Answer 3

This approach doesn't work, FormsAuthentication.HashPasswordForStoringInConfigFile function hashes differnt values than the original hashed answer. According to web page http://bartdesmet.net/blogs/bart/archive/2004/12/25/515.aspx, first parameter takes a concatanation of clean answer and appropriate salt from membership table. i've tried but it didn't work.

I will be crazy. please help us