I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
My issue today is that i have a MySQL Database and am using the security framework provided by the ASP.NET Membership and Role Providers...I override the default methods with my own MySQL.
Now the issue comes in when i someone would like to have their password reset. My application is running entirely on an Intranet so i cannot have their passwords emailed to them. Is there a way i can have this information displayed in any way so that the user can use it to Log Reset, Create Accounts or Recover their lost passwords on an intranet without the administrators intervention?
Recently i had an approach as follows. In my web.config<system.net><mailSettings><smtp deliveryMethod="pickupDirectoryLocation" and my location was a folder on C drive as c:/SavedPasswords. Now i understand this was such a big security threat and thats why i am looking for a better option.
I would have that folder created using my System.IO and then the Mail is dropped into that folder. Then after the process is successful, i tell the user to check into that location and Read its content.
Then there is a global variable that is set to true...meaning that the folder at c:/ has been created. then there is a Method in a certain class that once it sees this variable True, it reads the readers c:/ and deletes that folder "save" if it exists;
I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?
I have a problem .I am using CAPICOM for digitally sign the data and for this purpose i am using SHA1 algorithm.In CPICOM there is one class CAPICOM.SignedData which is used for this purpose.My problem is how can i give SHA1's hashed data to this class (to it's sign method) for returning the digital signature of exactly 172 bit long?
Having spent considerable amount of time in ASP.NET security community I would like to share this.
There are three ways of resetting and changing passwords explained at
Microsoft ASP.NET site[URL]
Step 1: Helping Users Recover Lost Passwords Step 2: Changing Passwords Step 3: Allowing Administrators to Change Users' Passwords
In step 1 and step 2 end user passwords are sent by an email.
In Step 3: functionality is explained where administror changing the password and sending through email msg. refer "I encourage those readers interested in this functionality to become more familiar with the code and try extending the functionality to include sending an email to the user whose password was changed. Query
Is Sending passwords by emial secure enough or best security password at all? I have implemented functionality where Admin sending passwords to end users by changing once in 3 months. End users expressed their views that sending passwords by email is not secure. When there is security threat in sending passwords by email, Microsoft security experts should not emailing passwords in above mentioned article, which is still up to date.
I have been trying to change a users password, I have been using this code
I do not get an error during the try routine, but my problem comes that when the user goes it insert their new password (using login Control) it says that the password is wrong.. and they then can't login using either their new or old password.
All Password critria is met, web.config if set so passswordQuestion = false
I want the login password to not be sent in plaintext (due to the risk of hijacking). I know that this can be achieved in principle using MD5 or the like, but is there a common implementation for use with Asp.Net? Of course, it's crucial that the resulting hash (?) isn't easy to decrypt. When I read various posts on this matter, some people say it's just to do a reverse on the encrypted string, so that in effect, this is totally useless.
I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.
What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.
I'm looking to create my application as secure as possible. Now I have following line of code:
As you can see, my password is in plain-text in the code. Now, I presume it's easy to decompile a code using a tool and getting your hands on the password. Since these are my AD Admin-credentials this is not that good.The AuthenticationTypes are secure, I think. They encrypt the data before sending it to the network.So there's just the problem of the plain-text password. I've searched for it on Google but can't find the proper solution. I've found alot about encrypting passwords in the web.config.
I've created a website with users and passwords and such for authentication.When a user is created through the "administer website" function of asp.net 4.0 where are the passwords stored? Is there a way to manually change passwords in the database?
I'm teaching myself ASP.net. I'm creating an application that needs to store sensitive data. So, I found the following Blog to encrypt and decrypt data.
I'm sure it's my app, but I wanted to make sure I'm not missing anything obvious. For some reason, my app and Encryptor only works when I pass < then 7 characters. If a pass 8, it doesn't commit to the database. If I remove Encryptor, the app will store
Ok this one might be a bit tough to figure out, but each day when users open their application the following error is generated and they can not enter the application: "Failed to decrypt using provider 'EncryptionProvider'. Error message from the provider: The RSA key container could not be opened." Guess what fixes it... I have to open the application 1 time and then all of the users can being to open the application. This is not an issue with the encryption/decryption of the .config never having worked; it works just fine - but not all of the time. It sounds like a permissions issue to me, like me opening the app grants access to the key file for a time period, and the next day the issue starts all over again. Here is what I have already done (actually when I set up encryption originally), as the many, many posts with this issue are resolved with, but none have worked:
- aspnet_regiis -pa "MyWebKeys" "NT AuthorityNETWORK SERVICE" - aspnet_regiis -pa "MyWebKeys" "ASPNET" - Gave ASPNET account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder - Gave NETWORK SERVICE account read access to "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" folder
I did not do the following, since I am not using the deafult machinekeys, but rather the imported "MyWebKeys" container
"MyWebKeys" are an imported key container on the server, that upon importing reside in the default "C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys" directory. So it appears I have covered everything, right? What am I missing? Do I have to add individual users or groups with the pa command that use my application to allow access to the container? Remember the encryption/decryption does work 95% of the time. It just seems that each day in the morning, I must open the app once prior to the users being able to open the application, which tells me it is a permissions issue because I am an Admin on the server and they are not, but I thought all of this runs under the NETWORK SERVICE account anyways?)
Due to a bug in Flash, I have to use the ASPXAuth cookie to log a user in on a page that a flash upload script calls after upload. See this page for more information: [URL]
I have to make the ASPXAUTH string "public" in the sense that it will be in the HTML of the page. My question is, how secure is this?
I understand that anyone that can get to the string in the HTML can probably get to it from the cookie just as easily, but let's say someone does have this ASPXAUTH string. Is it possible that they can login as another user using this cookie? Would they be able to decrypt it?
I'm trying to find out how i store user names and passwords in the web.config file. I have tried looking for documentation on this but haven't found any so far.
I see in the class library it says that the Authenticate method of the FormsAuthentication class is for use in authenticating credentials against those stored in the config file, but i don't know how to store them there to begin with. I want to store two username:password pairs in the web.config file preferably encrypted.
one of these username:password pairs i want to be hard coded. The other i want to be able to be reset with a password reset form which I will code later. I guess there maybe a method for creating a sername:password entry in the web.config which could be used with my password reset form if such a method exists. But I need to know how to hand code the username:password entries into the web.config file to begin with and to beable to create the hard coded pair.
code I need to add to my web.config file i need to add and in what section?
also can you point me in the direction of a method used for creating username:password entries in web.config
I setup a website to use hashed passwords with the membership provided by Asp.net. I'm looking for a way to convert all passwords to clear text. Hashed passwords are overkill for this site and many users can't figure out how to cut and paste the complex temporary password when they request a forgotten password. I understand that you can't retrieve a hashed password.