I am looking for a method to decrypt a user's password. I store the password in the database in encrypted form by using a machine key specified in web.config. There is also a password salt field in the database. How can I decrypt a specific password if I
have the key, password salt and encrypted password. The reason I want to do this is so that I can gain full access to a user's account if needed. I already setup for the user to be able to reset their password.
If you configure the password to Encrypted in your membership tag. You cannot restore the password.
Assuming that you use the asp.net membership
Regards. [:P]
Christian Manuel Amado Silva
[MCITP] Windows Vista Consumer Support Technician
[MCTS] Windows Vista, Configuration
[MCTS] .NET Framework 2.0: Web Applications
[MCTS] Microsoft Windows Mobile 5.0 Application Development
[MCTS] Microsoft SQL Server 2005
[MOS] Microsoft Office Master Specialist
If you configure the password to Encrypted in your membership tag. You cannot restore the password.
Assuming that you use the asp.net membership
Regards.
The passwords are not hashed, so they are not 1-way. They are just encrypted with a machine key. I should be able to decrypt them since I allowed password retrieval for users. If the system can retrieve them for users who forget them, then I can do the same.
I just need the method for decryption.
Anyone has the code for the password decryption? I also found out in my web.config file that there is a decryption key and validation key. Also I have this, validation="SHA1" decryption="AES". I am really not sure now if this can be decrypted. The user
can retrieve the actual password if they forget it, so there must be a way. Anyone has any ideas? I need this because sometimes a user will ask something to be modified because they will not know how to do it, and I do not want to ask them for their password
since I am supposed to know it and it is not very secure to send passwords in e-mail.
Christian Manuel Amado Silva
[MCITP] Windows Vista Consumer Support Technician
[MCTS] Windows Vista, Configuration
[MCTS] .NET Framework 2.0: Web Applications
[MCTS] Microsoft Windows Mobile 5.0 Application Development
[MCTS] Microsoft SQL Server 2005
[MOS] Microsoft Office Master Specialist
<div mce_keep="true">the user enters a password</div>
<div mce_keep="true">the provider adds the salt value to the password - i.e., "mypassword" + "saltvalue"</div>
<div mce_keep="true">this string is encrypted using the machine key.</div>
<div mce_keep="true">the salt value and the result of the encryption is stored in the database</div>
<div mce_keep="true">when the user logs in again, the password is added to the salt value and encrypted - if the encrypted value matches the value stored in the database, the user is authenticated.</div>
there is a much easier way to give yourself access to log in as an existing user.
make a page with a textbox, and then set an authorization cookie with that username.
<div>the provider adds the salt value to the password - i.e., "mypassword" + "saltvalue"</div>
<div>this string is encrypted using the machine key.</div>
<div>the salt value and the result of the encryption is stored in the database</div>
<div>when the user logs in again, the password is added to the salt value and encrypted - if the encrypted value matches the value stored in the database, the user is authenticated.</div>
there is a much easier way to give yourself access to log in as an existing user.
make a page with a textbox, and then set an authorization cookie with that username.
If you use FormsAuthentication.SetAuthCookie(username, false), then you have to log in first as an admin. So how can you be logged in as admin and regular user at the same time?
1. Create a new class that derives from MembershipProvider. You don't need to provide an implementation for any method or property. You could call it RecoveryProvider.
2. Create a new method on your derived class, call it something like: public string RecoverPassword(string password)
3. In that method, add this code:
try
{
byte[] data = Encoding.UTF8.GetBytes(password);
data = this.DecryptPassword(data);
return Encoding.UTF8.GetString(data);
}
catch(ProviderException)
{
// No machine key?
}
4. Call it in your code like this:
RecoveryProvider recover = new RecoveryProvider();
string password = recover.RecoverPassword(encryptedPassword);
Marked as answer by Dimebrain on Jun 19, 2009 09:57 AM
Lotos1
Member
56 Points
239 Posts
Decrypt password using machine key and password salt
Aug 21, 2008 08:48 PM|LINK
I am looking for a method to decrypt a user's password. I store the password in the database in encrypted form by using a machine key specified in web.config. There is also a password salt field in the database. How can I decrypt a specific password if I have the key, password salt and encrypted password. The reason I want to do this is so that I can gain full access to a user's account if needed. I already setup for the user to be able to reset their password.
NecroxPy
Participant
1370 Points
251 Posts
Re: Decrypt password using machine key and password salt
Aug 21, 2008 09:31 PM|LINK
If you configure the password to Encrypted in your membership tag. You cannot restore the password.
Assuming that you use the asp.net membership
Regards. [:P]
[MCITP] Windows Vista Consumer Support Technician
[MCTS] Windows Vista, Configuration
[MCTS] .NET Framework 2.0: Web Applications
[MCTS] Microsoft Windows Mobile 5.0 Application Development
[MCTS] Microsoft SQL Server 2005
[MOS] Microsoft Office Master Specialist
Mark a post as an answer when it is
Lotos1
Member
56 Points
239 Posts
Re: Decrypt password using machine key and password salt
Aug 21, 2008 09:42 PM|LINK
The passwords are not hashed, so they are not 1-way. They are just encrypted with a machine key. I should be able to decrypt them since I allowed password retrieval for users. If the system can retrieve them for users who forget them, then I can do the same. I just need the method for decryption.
Lotos1
Member
56 Points
239 Posts
Re: Decrypt password using machine key and password salt
Aug 22, 2008 07:45 PM|LINK
Anyone has the code for the password decryption? I also found out in my web.config file that there is a decryption key and validation key. Also I have this, validation="SHA1" decryption="AES". I am really not sure now if this can be decrypted. The user can retrieve the actual password if they forget it, so there must be a way. Anyone has any ideas? I need this because sometimes a user will ask something to be modified because they will not know how to do it, and I do not want to ask them for their password since I am supposed to know it and it is not very secure to send passwords in e-mail.
12string
Member
10 Points
9 Posts
Re: Decrypt password using machine key and password salt
Aug 25, 2008 06:00 PM|LINK
Time To Vent: Why is the MSDN site for implementing Membership Service and Password Recovery so lame?
Have you ever experienced the Password Recovery Control sending a blank for the
password in the email? I'm working on a system that implements the Membership
Service and everything works fine except when the user tries to recover their
password. The email that is sent to them DOES NOT contain their password, even
though I can see it stored in the system tables (i.e., using Clear)
NecroxPy
Participant
1370 Points
251 Posts
Re: Decrypt password using machine key and password salt
Aug 30, 2008 02:24 AM|LINK
You can read this documents:
Regards [:)]
[MCITP] Windows Vista Consumer Support Technician
[MCTS] Windows Vista, Configuration
[MCTS] .NET Framework 2.0: Web Applications
[MCTS] Microsoft Windows Mobile 5.0 Application Development
[MCTS] Microsoft SQL Server 2005
[MOS] Microsoft Office Master Specialist
Mark a post as an answer when it is
sbillingsley
Member
642 Points
121 Posts
Re: Decrypt password using machine key and password salt
Aug 30, 2008 02:43 AM|LINK
membership passwords 101.
there is a much easier way to give yourself access to log in as an existing user.
make a page with a textbox, and then set an authorization cookie with that username.
FormsAuthentication.SetAuthCookie(username, false);
Lotos1
Member
56 Points
239 Posts
Re: Decrypt password using machine key and password salt
Aug 30, 2008 03:21 AM|LINK
If you use FormsAuthentication.SetAuthCookie(username, false), then you have to log in first as an admin. So how can you be logged in as admin and regular user at the same time?
Dimebrain
Member
111 Points
72 Posts
Re: Decrypt password using machine key and password salt
Aug 30, 2008 08:58 PM|LINK
Lotos1,
You might be able to do it this way:
1. Create a new class that derives from MembershipProvider. You don't need to provide an implementation for any method or property. You could call it RecoveryProvider.
2. Create a new method on your derived class, call it something like: public string RecoverPassword(string password)
3. In that method, add this code:
4. Call it in your code like this:
sbillingsley
Member
642 Points
121 Posts
Re: Decrypt password using machine key and password salt
Sep 03, 2008 05:08 AM|LINK
or, since this is not a hashed password - just use the existing decryptPassword method.
http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.decryptpassword.aspx