tags:

views:

46

answers:

2
Q: 

ASP.NET Membership

I'd like to use the ASP.NET membership provider in the following (low-security) scenario...

My company will create and administer user accounts on behalf of our clients. These accounts will likely be shared amongst several people in the client company (is that a problem?).

There will be 2 types of users (2 roles): client and administrator. Administrators are the people within my company that will have special privileges to create client user accounts, etc.

Clients will not be able to self-register. They also won't get to choose their own password, and they should not be able to change their password either, since that will just create confusion where several people are sharing the same account.

My internal users (admins) will set the password for each client. Here's the bit I'm struggling with: if a client phones up and asks to be reminded of their password, how can my admin users find out what the password is? Can I configure the provider to store the password in clear text (or other recoverable form), and if so can I get at the password through the .NET API?

As I said at the outset, this is a low-security application, and so I plan simply to show the password in the (internal) web page where I have a list of all users.

+1  A: 

Hi,

Even though it's low security, it's best not to store the password in plain-text. Since you want it to be recoverable, you should look at Encrypting the passwords. By encrypting, it can be reversed back to it's original form with the correct key. Have a look at the Membership section here

SSL  2010-03-25 23:41:10
@superexsl: I understand the arguments against storing in plain text, but I do think that there's no point whatsoever in encrypting them given that I'm going to have to *display* them in the clear anyway (and given that the passwords will be freely shared with several people in the client company). Someone who really wanted to know the password would probably find getting at the database far less convenient than many other "soft" methods.
Gary McGill  2010-03-26 00:12:20
@Gary: That's fine. You can store them in plain-text using `Clear` as the passwordFormat (as Mick Walker has shown).
SSL  2010-03-26 00:16:39
+1  A: 

Here is an example of how to do this:

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
    <providers>
      <clear />
      <add 
        name="SqlProvider" 
        type="System.Web.Security.SqlMembershipProvider" 
        connectionStringName="MySqlConnection"
        applicationName="MyApplication"
        enablePasswordRetrieval="false"
        enablePasswordReset="true"
        requiresQuestionAndAnswer="true"
        requiresUniqueEmail="true"
        passwordFormat="Clear" />
    </providers>
  </membership>

passwordFormat

Specifies the password format. The SQL Server membership provider supports Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval, but is less secure because passwords are easily read if your SQL Server database is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure because passwords are not easily deciphered if the SQL Server database is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.

Mick Walker  2010-03-25 23:43:31
I personally think storing passwords as clear text is suicidal for your application, but you asked HOW to do it, not IF you should do it, so I am providing you this answer
Mick Walker  2010-03-25 23:46:50
Gary McGill  2010-03-26 00:09:04
@Mick: re the second part of my question, can I get the password via the .NET Membership API? Or would I have to query the database tables myself?
Gary McGill  2010-03-26 00:14:24
@Gary, I am not 100% sure, but I would hazard a guess at yes.
Mick Walker  2010-03-26 06:58:27

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps