tags:

views:

327

answers:

3
+1  Q: 

Validating hashed aspnet-service passwords programmatically

I have a website of which I am migrating membership from aspnet services to a custom provider. I would like to migrate existing users without them needing to change their passwords.

The users passwords are currently stored using a one-way encryption. The only option for me is to use the same salt and passwords that asp services and validate against them with my custom provider.

Here is the configuration used to currently hash the passwords with aspnet services.

    <membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15" hashAlgorithmType="">
  <providers>
   <clear/>
   <add connectionStringName="dashCommerce" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="dashCommerce" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  </providers>
 </membership>

I have been pulling my hair out trying to wright the code needed to validate passwords against hashes generated by this config.

This is what I got so far. Any help would be greatly appreciated.

    private static string CreatePasswordHash(string Password, string Salt)
    {
        return FormsAuthentication.HashPasswordForStoringInConfigFile(Password + Salt, "SHA1");
    }
+1  A: 

I dug through reflector and found the code used to compute hashes

    private static string CreatePasswordHash(string Password, string Salt)
    {
        string passwordFormat = SettingManager.GetSettingValue("Security.PasswordFormat");
        if (String.IsNullOrEmpty(passwordFormat))
            passwordFormat = "SHA1";
        byte[] bytes = Encoding.Unicode.GetBytes(Password);
        byte[] src = Convert.FromBase64String(Salt);
        byte[] dst = new byte[src.Length + bytes.Length];
        byte[] inArray = null;
        Buffer.BlockCopy(src, 0, dst, 0, src.Length);
        Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

        HashAlgorithm algorithm = HashAlgorithm.Create(passwordFormat);
            inArray = algorithm.ComputeHash(dst);

        return Convert.ToBase64String(inArray);
    }

This worked

Thanks!

Paul Knopf  2009-10-14 05:30:38
really gr8.....
Sachin  2010-06-11 05:47:23
A: 

When I use this example i get an error at SettingManager. Why?

C-Sharp Starter  2010-09-21 10:07:40
Sorry, some application specific code. Just make it say SHA1
Paul Knopf  2010-09-21 17:23:15
A:  
   //string hashOldPassword = utl.generateHash(txtpassword.Text);

string hashOldPassword= FormsAuthentication.HashPasswordForStoringInConfigFile(txtpassword.Text,"SHA1");

  //string hashOldPassword = Membership.Provider.GetPassword(Page.User.Identity.Name.ToString(), string.Empty);
    MembershipUser user = Membership.GetUser();
    //string hashOldPassword = user.GetHashCode(

    if (txtnewpassword.Text.Length < 7)
    {

    }
    var userId = user.ProviderUserKey;
    var user1 = Membership.GetUser();

    MembershipPasswordFormat passwordFormat;
    string passwordSalt;
    string password;
    SqlConnection sqlconn = new SqlConnection(Connect.Connection());
    //var cstring = ConnectionStrings[Connect.Connection()];
    using (var conn = new SqlConnection(sqlconn.ConnectionString))
    {
        using (var cmd = conn.CreateCommand())
        {
            cmd.CommandText = "select PasswordFormat,PasswordSalt,Password from aspnet_Membership where UserId=@UserId";
            cmd.Parameters.AddWithValue("@UserId", userId);
            conn.Open();

            using (var rdr = cmd.ExecuteReader())
            {
                if (rdr != null && rdr.Read())
                {
                    passwordFormat = (MembershipPasswordFormat)rdr.GetInt32(0);
                   // passwordFormat = rdr.GetString(0);
                    passwordSalt = rdr.GetString(1);
                    password = rdr.GetString(2);

                    if (hashOldPassword == password)
                    {
                        user.ChangePassword(txtpassword.Text, txtnewpassword.Text);
                    }
                    else
                    {
                    }
                    //if(password.ToString()!=txtpassword)
                }
                else
                {
                    throw new Exception("An unhandled exception of type 'DoesntWorkException' has occured");
                }
            }
vaishali  2010-09-27 11:10:02

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords