Security :: Convert Existing User Database From Hashed To Encrypted
Aug 12, 2010
I've taken over a website which has around 3000 users registered using the standard asp.net membership provider on a SQL database. When the website was set up there were a lot of gaps in the system and we have a lot of tidying up to do of users with the same email addresses etc and invalid addresses so i'm just starting to look at how i can wrap all of this up and make administering the user accounts easier.
At the moment the account passwords are stored in "Hashed" format set in the web.config and obviously this doesn't allow for password retrieval. I want to know whether there is a way of converting all of these passwords from a hashed format to an encrypted format thus allowing me to create a password recovery page that doesn't then send the user a new password which is quite often something like "a*ns7#<3lx"
Ideally i'd like to convert all of these if that is possible so that I do a much simpler password retrieval system. If this is not possible can you tell me how i go about setting the passwordreset value not to contain all sorts of non-alpha/numberic characters?
I'm finding surprisingly little information on converting an existing database from Encrypted passwords to Hashed passwords. (I was able to find a bit more information on converting the other way, but it wasn't of much help.)
As most people know, changing the passwordFormat setting in web.config only affects new users. I have a database with a couple of hundred users and I'd like to convert them to use hashed passwords without changing those existing passwords.
I had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
So as the title suggested, I'm currently trying to compare the hashed answer in my database against the answer typed in the textfield by the user in the form.
I thought of hashing the answer in the textfield typed by the user first, and after that compare this newly hashed answer to the one in the database (which is already hashed). But when I typed in the SAME answer (before hashing) and hashed it to get the hashed value, by right the 2 hashes (in web form and database) should match? Somehow, it didn't. And I can't seem to get security answer right anymore (even though I typed the SAME security answer).
This is the code behind the button:
[Code]....
I tried in another way too, but still the same thing.
I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?
for maintain security, i encrypted my password and store in database like following
Dim PWD As String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
you could create your own custom Profile provider that operates against existing database tables .i want u to help me out if u have an idea where i can get steps by steps to carry out the above operation.i know there are various options in creating profile , particularlly the use of web. configuration, the default ASPNETDB, and XML files, BUT i wish to use an existing database which i prefer.
I have an existing SQL database containing student:class enrollments and would like to add a login feature using asp.net's built in Membership and Roles management tools. to how to integrate the Application Services Database with an existing SQL database? Once I have created the Application Services tables using aspnet_regsql tool how and where do I create a link between my tables and the .Net Membership tables?
I am newbie to asp.net.I want to create roles for the existing users in my database. I dont want to use the membership provider database n roles provided with it.(i don't want to use aspnet.mdf at all)
I am create roles for my existing users n assign i wanted to assign the particular roles to a particular assign.
I setup a website to use hashed passwords with the membership provided by Asp.net. I'm looking for a way to convert all passwords to clear text. Hashed passwords are overkill for this site and many users can't figure out how to cut and paste the complex temporary password when they request a forgotten password. I understand that you can't retrieve a hashed password.
I have a problem .I am using CAPICOM for digitally sign the data and for this purpose i am using SHA1 algorithm.In CPICOM there is one class CAPICOM.SignedData which is used for this purpose.My problem is how can i give SHA1's hashed data to this class (to it's sign method) for returning the digital signature of exactly 172 bit long?
I am creating a Web Application in asp.net 2.0 and sql server 2005.I want to use an existing database.
I have created a login and a signup page. Then i replace the new SQL database (the one that is created automaticly by the visual studio) with the exiting database I have.If I create a new user, the new user goes to the database and I can login with the new user. I cannot login with the existing users.If I go to the asp.net configuration, I only can see the new users I have created, I cannot see the users that were in the database already and I can't see the roles also.
I can I make the new application to recognize the users and roles of the existing database?
I want to compare a user-entered value on a Web form against an array of existing values from the database, and do so on blur. If match, then show error. Scenario is to stop user from needlessly filling out other fields if this record has already been entered.
how to trigger this? What parts are client-side, what parts are server-side? Can I do it without Javascript?
I am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
i'm having a problem with symmetric key and certificate. the issue is, this database i'm using now is restored from a different source and ever since, i've been having problem regarding the symmetric key or certificate the error message i'd get from the aspx web pages would be "Please create a master key in the database or open the master key in the session before performing this operation" yes i did open the master key
For testing I used this:[URL]Encrypts only the password is not encrypted and username.Why not?For security reasons, I would like also to encrypts username.
reading on the web ive found the code below; i wonder if an encrypted string using this block generates an unique result or if different encrypted sources can result in the same crypted array:
private static TripleDES CreateDES(string password) { MD5 md5 = new MD5CryptoServiceProvider(); TripleDES des = new TripleDESCryptoServiceProvider(); des.Key = md5.ComputeHash(Encoding.Unicode.GetBytes(password)); des.IV = new byte[des.BlockSize / 8]; return des; }
So if i encrypt connectionstrings and sections, how will i get their values inside my code?I don't want to decrypt the web.config, i just want to read the encrypted values.There must be a class.Maybe something from ConfigurationManager?I don't suppose it's automatically decrypted?
Our application lets the administrator create new users. Since the administrator is logged in, I have set Logincreateduser = false so that the administrator is not logged out even after creating the new user.
The problem is :I need the userid of the newly created user to store additional details of the user in another database table. I see that i can get the username using Createuserwizard1.username; but how do I get the userID?
I'm creating a website and currently making tests for registration. I've manage to create a registration form in the web site and save what the user inputs in the textboxes into a sql server 2008 database.
One of the fields is Password. What I want know is how do you save the password into the database but the database stores it encrypted. That way I'm just able to see the password encrypted. Then when I make a log-in form how to validate the password input by the user with the encrypted one and give a succesful login.
