tags:

views:

214

answers:

3
Q: 

Password Recovery using Asp.net

Hi, In my application, the password is encrypted and if the user forgets the password , there is no way to recover the password.Now we are cancelling that user account and creating a new one.Now i want a proper method to recover the password.The login is done using the Asp.net configuration tool.How can i recover my password using this?Is there any alternative option for this?How can i decrypt my password in the database?

+2  A: 

The idea is that no one can decrypt the password (including the database owner). Normally you'd generate a new password & send that to the user as well as encrypting it & placing it into the database.

Alconja  2009-12-21 06:03:34
A: 

How do you encrypt your passwords? Is it a one way encryption and can be decrypted only with the right password? If so - game over.

You can change the encryption method so it can be decrypted using a key (which is not the password, it can be for example a combination of user's id, birthdate and a secret word he enters which is saved in the DB unencrypted).

Then, the password can be decrypted using the key and everyone will be happy.

Faruz  2009-12-21 06:10:10
How can i do this?please advice.
Nandini  2009-12-21 06:15:08
Read about aes encryption using Rijndael algorithm. It's really easy. http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndaelmanaged.aspx
Faruz  2009-12-21 06:30:13
+1  A: 

As others have said, hopefully the password is one way encrypted in the database. One method that many sites use for recoverring a password is to generate a hash of the users primary username and email address. Have them provide this information and then hash it. If it matches, generate them a new random password, encrypt it and overwrite the old password. Email the user their new password to the email address they originally provided, and mark the row in the databae to force them to change it the next time the log in (usually done if the passwords are hand generated).

A few sites I know of allow you to recover your password, and I assume they use a reversible (i.e. symmetric) key algorithm for generating the password. In order to do this, and not have it available to the site owner, you need the user to provide two pieces of information (username and a salt only known to them) which are applied to secure the login information and can be used to recover it.

You can look at symmetric key cryptography on MSDN for more info. Really though, I recommend against using this technique, generating a new password is preferrable if possible.

GrayWizardx  2009-12-21 06:23:23

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps