How? Encrypt and Decrypt user membership passwords in ASP.NET
We are creating a new site using ASP.NET membership provider for user registration and log in. Our old system encrypted user passwords so that we could recover them if we ne
-
I assume you are using the SQLMembershipProvider that MS supplies. If so then why not use the built-in question and answer functionality to allow the user to reset their password. Alternatively (or additionally) reset their password for them and email the new one to them. This way your app can't expose a users password to anyone accidentally.
If you really need to decrypt their passwords then the passwordFormat must be set to "Encrypted". See DecryptPassword for information on decrypting the password. For details on how to configure for decryption see the PasswordFormat, note that it says you must specify the decryptionKey attribute of the machineKey element.
讨论(0) -
You need to use passwordFormat="Encrypted" rather than passwordFormat="Hashed". Then you can use the DecryptPassword method of the MembershipProvider to decrypt the password when necessary.
讨论(0) -
Imports System.Web.Security Public Class PasswordRecovery Inherits SqlMembershipProvider Public Function GetDecryptedPassword(ByVal password As String) As String Try Dim _encodedPassword() As Byte = Convert.FromBase64String(password) Dim _bytes() As Byte = DecryptPassword(_encodedPassword) If _bytes Is Nothing Then Return "" Else Return System.Text.Encoding.Unicode.GetString(_bytes, &H10, _bytes.Length - &H10) End If Catch ex As Exception Throw New Exception("Error decrypting password.", ex) End Try End Function End Class讨论(0) -
Storing passwords in recoverable format is a very poor idea. If you can recover them so can anyone who breaks into your server.
You're better off using a standard hash+salt approach and having a password reset mechanism to handle the case where users forget their password.
讨论(0)
加载中...
- 热议问题