views:

488

answers:

1

Hi,

I need help using the PasswordRecovery control in .net 2.0. My situation is the application has changed from storing the passwordformat in Hashed to Clear.

The problem is the newly created users have a clear password stored and there are still users with hashed passwords. When I use the passwordRecovery control as below for users who still have a hashed password, the 'PasswordFormat' field is NOT altered to 'clear' for those previous users with hashed passwords.

<asp:PasswordRecovery MailDefinition-BodyFileName="/mailTemplates/changePassword.htm" MailDefinition-From="[email protected]" MailDefinition-Subject="Test" CssClass="noLines" ID="PasswordRecovery1" UserNameTitleText="" UserNameInstructionText="Enter User name and a new passord will be generated and mailed to the user"  runat="server" SuccessText="Your password has been sent to your registered email address." SubmitButtonStyle-CssClass="button" 
    onsendingmail="PasswordRecovery1_SendingMail" MembershipProvider="AspNetSqlMembershipProviderF0005600">
    </asp:PasswordRecovery>

<membership>
  <providers>
    <remove name="AspNetSqlMembershipProviderF0005600"/>
    <add name="AspNetSqlMembershipProviderF0005600" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Clear" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
  </providers>
</membership>

(Apologies in advance for resposting).

+1  A: 

Short answer is that you'll have to use membership stored procedures to change this for the users with hashed passwords. Since the passwords are hashed, they will never be recovered anyway ( except for breaking the hash algorithm ).

See http://mishler.net/PermaLink,guid,ea65afc0-2970-46f1-9412-4b57bbd906f4.aspx. Scroll to the section "Changing Password Format" at the end of the article.

On your recovery page you can run a store proc to find the format and change both the password and the format when the user decides to use recovery. But you can be more proactive and change all the hash user passwords and email those uses that their passwords have been reset.

kervin