Security :: Reset Passwords / Create User / Recover Passwords On An Intranet

Aug 4, 2010

My issue today is that i have a MySQL Database and am using the security framework provided by the ASP.NET Membership and Role Providers...I override the default methods with my own MySQL.

Now the issue comes in when i someone would like to have their password reset. My application is running entirely on an Intranet so i cannot have their passwords emailed to them. Is there a way i can have this information displayed in any way so that the user can use it to Log Reset, Create Accounts or Recover their lost passwords on an intranet without the administrators intervention?

Recently i had an approach as follows. In my web.config<system.net><mailSettings><smtp deliveryMethod="pickupDirectoryLocation" and my location was a folder on C drive as c:/SavedPasswords. Now i understand this was such a big security threat and thats why i am looking for a better option.

I would have that folder created using my System.IO and then the Mail is dropped into that folder. Then after the process is successful, i tell the user to check into that location and Read its content.

Then there is a global variable that is set to true...meaning that the folder at c:/ has been created. then there is a Method in a certain class that once it sees this variable True, it reads the readers c:/ and deletes that folder "save" if it exists;

View 2 Replies


Similar Messages:

Security :: Change Existing Clear Passwords To Encrypted Passwords?

Aug 4, 2010

I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?

View 1 Replies

Validating User Oracle Passwords For Reset Application

Mar 2, 2010

This is a mix of programming and sysadmin but I decided its more of a programming issue.

Currently working building a password management web application for managing Oracle user accounts (C#).

The scope calls for verification of the users Oracle username and password before they're allowed to set a new password. Without creating a table of users passwords (hashed or otherwise, this is a security risk), how can I verify the old users password?

My current solution is to make an attempt to connect to the database using the username/password specified by the user. Too many attempts at this would lock the user out on the Oracle end, so brute forcing isn't too plausible. Are there other security risks here I am missing or is there a better way of handling this?

We use AD as primary authentication but the AD accounts aren't tied to the Oracle accounts so it's just a preliminary check.

AD Check for proper domain (intranet) User enters Oracle Username/Password Enters old Password, new Password + Confirmation Reset password if correct

View 3 Replies

Web Forms :: Enable Users Recover Password If Forget Passwords In Web Application

Aug 21, 2012

according to this thread i make login page URL....i have 1 label   1radiobutton and 1 send button now i want when users enter their password,if they enter their password  wrong morethan 3 time it show error that they can't login during 24 hours ,and they cann't enter password in password  textbox . and when they  click on radio button and click on send button it send a massage to my email and after i send them new password 

View 1 Replies

Security :: How To Store User Names And Passwords In Web.config

Mar 8, 2010

I'm trying to find out how i store user names and passwords in the web.config file. I have tried looking for documentation on this but haven't found any so far.

I see in the class library it says that the Authenticate method of the FormsAuthentication class is for use in authenticating credentials against those stored in the config file, but i don't know how to store them there to begin with. I want to store two username:password pairs in the web.config file preferably encrypted.

one of these username:password pairs i want to be hard coded. The other i want to be able to be reset with a password reset form which I will code later. I guess there maybe a method for creating a sername:password entry in the web.config which could be used with my password reset form if such a method exists. But I need to know how to hand code the username:password entries into the web.config file to begin with and to beable to create the hard coded pair.

code I need to add to my web.config file i need to add and in what section?

also can you point me in the direction of a method used for creating username:password entries in web.config

View 6 Replies

Security :: Which Is The Latest Encryption For Passwords

Feb 3, 2010

I am trying to encrypt my passwords and store in database..i want to know which is the latest one..

View 2 Replies

Security :: How To Change Users Passwords

Mar 7, 2010

I have been trying to change a users password, I have been using this code

[Code]....

I do not get an error during the try routine, but my problem comes that when the user goes it insert their new password (using login Control) it says that the password is wrong.. and they then can't login using either their new or old password.

All Password critria is met, web.config if set so passswordQuestion = false

View 7 Replies

Security :: How To Decrypt SHA1 Passwords

May 2, 2010

I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?

View 5 Replies

Security :: Encrypting Passwords On Client?

Nov 1, 2010

I want the login password to not be sent in plaintext (due to the risk of hijacking). I know that this can be achieved in principle using MD5 or the like, but is there a common implementation for use with Asp.Net? Of course, it's crucial that the resulting hash (?) isn't easy to decrypt. When I read various posts on this matter, some people say it's just to do a reverse on the encrypted string, so that in effect, this is totally useless.

View 6 Replies

Security :: Prevent Past Passwords From Being Used?

Jul 12, 2010

I have to make changes to some existing web applications at work to bring them inline with a new security policy.

I am using the framework 3.5 and am using the standard sql membership provider for user authentication.

When a user is changing his password, I want to prevent him using previously used passwords. What is the best and easiest way to go about this?

I was thinking a SQL table with the following columns, my problem was do I handle encryption here as they are old?

dbo.OldUserPasswords
UserID, GUID, NOT NULL, FK Reference to aspnet_Users.
Password, nvarchar(256) NOT NULL,
Timestamp, timestamp, NOT NULL

View 5 Replies

Security :: Is There A In Built Function To Hash Passwords

Apr 22, 2010

Is there a in built function in ASP.NET to hash passwords??

View 5 Replies

Security :: Best Way To Store Passwords In MS SQL 2005/2008?

Feb 1, 2011

I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.

What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.

View 5 Replies

Security :: Embedding Plain-text Passwords?

Nov 19, 2010

I'm looking to create my application as secure as possible. Now I have following line of code:

[Code]....

As you can see, my password is in plain-text in the code. Now, I presume it's easy to decompile a code using a tool and getting your hands on the password. Since these are my AD Admin-credentials this is not that good.The AuthenticationTypes are secure, I think. They encrypt the data before sending it to the network.So there's just the problem of the plain-text password. I've searched for it on Google but can't find the proper solution. I've found alot about encrypting passwords in the web.config.

View 2 Replies

Security :: Website With Users And Passwords And Such For Authentication?

Dec 14, 2010

I've created a website with users and passwords and such for authentication.When a user is created through the "administer website" function of asp.net 4.0 where are the passwords stored? Is there a way to manually change passwords in the database?

View 3 Replies

WebMatrix :: Encrypting Passwords When Registering A New User?

Mar 9, 2011

I seem to be having some difficulty working out how to encrypt the user's password at the time they register for an account. To ensure that I am storing the password securely, I would like to be able to encrypt the password before it is inserted into the database.

When the user logs in I can then encrypt their password at log in time and compare this to the encrypted password in the database, meaning that the password in the database never needs decrpyting.

View 2 Replies

Security :: How To Change Hashed Passwords To Clear Text

Jan 3, 2010

I setup a website to use hashed passwords with the membership provided by Asp.net. I'm looking for a way to convert all passwords to clear text. Hashed passwords are overkill for this site and many users can't figure out how to cut and paste the complex temporary password when they request a forgotten password. I understand that you can't retrieve a hashed password.

<membership defaultProvider="CustomizedProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add name="CustomizedProvider"
type="System.Web.Security.SqlMembershipProvider"
applicationName="MyApplication"
connectionStringName="MyConnString"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="false"
passwordFormat="Hashed"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>

View 4 Replies

Security :: Encrypting Passwords With T-SQL That Will Be Decrypted By Asp.net Membership Provider

Mar 4, 2011

I have been killing myself over this for a couple weeks now and cannot find a viable solution. Here's my scenario:

I have a DTSX package that imports user data from an external database. It then creates user accounts and profiles in the local database. Users can also be created via a custom ASP.NET Membership Provider. The provider must be able to authenticate both types of users.

This was all fine and dandy during development because passwords were stored as clear text. However, now that we're ready for release the passwords format of the provider must be set to encrypted and so the users created via the DTSX must be created with an encrypted password. (I'd prefer the passwords were hashed but the client's requirements are that passwords be recoverable). The real problem seems to be creating an encrypted password within the DTSX that will be decryptable by the ASP.NET Membership Provider.

My original solution was to have the DTSX call a CLR stored procedure that had access to the same encryption logic as the provider. I got it working but our client wouldn't enable CLR integration. So that's out the window. Now I'm investigating alternatives. One alternative is to simply use the built-in encryption methods of T-SQL. But how do I share the keys used for the encryption/decryption?

My question is, is it possible to generate a password in T-SQL, say using EncryptByKey, that will also be decryptable by my provider? This means that the key in SQL must match the key in my machineKey configuration.

View 2 Replies

Security :: Sending Passwords By Email Security Threat?

Nov 4, 2010

Having spent considerable amount of time in ASP.NET security community I would like to share this.

There are three ways of resetting and changing passwords explained at

Microsoft ASP.NET site[URL]

Step 1: Helping Users Recover Lost Passwords
Step 2: Changing Passwords
Step 3: Allowing Administrators to Change Users' Passwords

In step 1 and step 2 end user passwords are sent by an email.

In Step 3: functionality is explained where administror changing the password and sending through email msg. refer "I encourage those readers interested in this functionality to become more familiar with the code and try extending the functionality to include sending an email to the user whose password was changed. Query

Is Sending passwords by emial secure enough or best security password at all? I have implemented functionality where Admin sending passwords to end users by changing once in 3 months. End users expressed their views that sending passwords by email is not secure. When there is security threat in sending passwords by email, Microsoft security experts should not emailing passwords in above mentioned article, which is still up to date.

View 5 Replies

C# - Microsoft .net Security Warning : Never Enter Personal Information Or Passwords - How To Fix It

Oct 28, 2010

So I have an ASP.net application, with an ActiveX Control which brings up a pop up

When I point to the application directly through IP there is no problem with the pop up eg. xxx.xxx.xxx.xxx/MyApp (under Default Website in the IIS -- IIS 7) Problem arises when I set up the IIS to point it to a domain [URL] which points to the above IP (under another "Site" i.e. not the "Default Site in IIS 7)

I then get this weird

Microsoft .net Security Warning Never enter personal information or passwords into a window unless you can verify and trust the source of the request.

Source: [URL]

The site is in the trusted list -- just like when I was using the IP only . Is there any setting in the IIS I need to tweak for IE to trust me fully.

View 2 Replies

Security :: Password Recovery Control Sends Wrong Passwords?

Feb 18, 2011

I use password recovery control for testing purposes. Passwords are stored in the database as hashed format.

Control can successfully send email to user but password always wrong. whats wrong here?

[Code]....

View 2 Replies

Security :: ClearText / Encryption / Hashing Passwords & Other Password Formatted Values?

Feb 8, 2010

Before I continue I'm going to let everybody know that I am not trying to follow a traditional .Net Membership Provider. I'm attemping to write my own Membership Provider which does not extend the default .Net Membership Provider b/c I feel that in areas it can become extremely cumbersome. Please keep this in mind before responding. Also keep in mind that I am trying to learn from this experience, not find an easy solution for some client's application.I am writing a custom membership provider that has password formatting functionality similar to .Net's default membership provider. I'm looking for soe good/easy examples of ways to encrypt/decrypt or hash password values. I previously tried going the RSA route, but got stuck when I had to Import an RSAParameter and was unsure of how to generate a RSAParameter.

I would like to have both Hashing and Encryption available, but only need Encryption. I'm also looking for a very strong encryption. I'm storing the password format in an external .xml file (similar to how the web.config stores the password format for .Net's Membership Provider) which will become manageable from the administrative side of my webapplication.If anybody knows of any existing Encryption libraries that may provide assistance, please feel free to post links. I only ask that they be open source solutions so I can see how they went about doing this.

View 4 Replies

Security :: Want To Enforce Strong Passwords And Do Not Want To Use The Secret Question And Answer Features?

Sep 17, 2010

I have a website running on iis 5.1 with asp.net 2.0. Where in the windows registry can I change the requirtements for some the security features? For example, I do not want to enforce strong passwords and I do not want to use the secret question and answer features.

View 4 Replies

C# - Import MD5 Passwords From A PHP App?

Oct 21, 2010

So I'm in the process of writing an ASP.NET application that requires to import users from a PHP application. The passwords were hashed using MD5 into the database, so the user table records looks more or less like this:

user Password
user1 827ccb0eea8a706c4c34a16891f84e7b
user2 e10adc3949ba59abbe56e057f20f883e

And so on. I have access to the PHP source code and I can see that there is no salt or anything else, it is juts a straight MD5 application. Now, Back on my ASP.NET, I tried to use MD5 using the following logic:

[Code]....

Problem is, that is returning strings like 50-F8-4D-AF-3A-6D-FD-6A-9F-20-C9-F8-EF-42-89-42, which of course is not going to match with the information in the database. What should I do so I don't have to reset 500+ user passwords?

View 2 Replies

Encrypting Existing Passwords?

Aug 5, 2010

found while searching for help on my asp.net application.I have a small application with connected to a SQL database. As it was so small, and contained very little data of any importance, i had set it up with Clear passwords.Now i have been asked to expand the database considerably, and encrypted passwords are now required. I can easily modify the web.config so all future users are set up with encrypted passwords. But is there any way to change all existing users passwords to be stored encrypted?

View 10 Replies

Hashing Vs. Encrypting Passwords?

Feb 9, 2011

I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.

View 4 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved