locked
Webforms chnage Clear Password to Hashed RRS feed

  • Question

  • User-1482891610 posted

    Hi

    I have a asp.net webforms app (vb.net) where the password has been stored in Clear format.  I want to change this to Hashed but when I change this in the web.config the login does not work.  I want to avoid the user having to reset their own password. 

    Does anybody have a script that I can run that will change it from Clear to Hashed?

    Many thanks in advance

    Monday, February 3, 2020 1:19 PM

All replies

  • User475983607 posted

    I have a asp.net webforms app (vb.net) where the password has been stored in Clear format.  I want to change this to Hashed but when I change this in the web.config the login does not work.  I want to avoid the user having to reset their own password. 

    This makes sense.   When you change the web.config, I assume the membership provider configuration, the provider hashes the user's password input and uses the password hash you lookup the user.   The hashed password does not match the clear text password stored in the database.   You'll need to write code that hashes the passwords in the database using the same algorithm that the provider is using. 

    Monday, February 3, 2020 2:27 PM
  • User-1482891610 posted

    Hi

    Thanks for the quick response.  I noticed there is a field called PasswordSalt in the aspnet_Membership table.  Is this the algorithm that i need to be using? 

    Many thanks in advance

    Monday, February 3, 2020 4:14 PM
  • User753101303 posted

    Hi,

    Try perhaps https://docs.microsoft.com/en-us/dotnet/api/system.web.security.membershipprovider.changepassword?view=netframework-4.8

    It should allow to apply the corrct aclgorihtm for your.

    Monday, February 3, 2020 4:26 PM
  • User-1482891610 posted

    Hi, Thnaks for sending the link.  I looked into this method earlier.  But im not still having issues.  I have done the following:

    1) I have stored the Clear password in a seperate table (i will delere this after)
    2) I have set passwordFormat to Hashed in the web.config
    3) I have updated the field on the user to have a PasswordFormat = 1 on the aspnet_Membership table
    4) I run the below:

    Dim user As MembershipUser = Membership.GetUser("username")
    user.ChangePassword("clearpasswordfrommytable", "clearpasswordfrommytable")

    But the password is still stored in clear text.  Any ideas?



     

     

    Monday, February 3, 2020 5:13 PM
  • User665608656 posted

    Hi BigMeat,

    If you want to use a hash to encrypt the login password, you can use the following settings:

    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
          <providers>
            <clear/>
            <add
              name="SqlProvider"
              type="System.Web.Security.SqlMembershipProvider"
              connectionStringName="MembershipConnetionString"
              applicationName="Job"
              enablePasswordRetrieval="false"
              enablePasswordReset="true"
              requiresQuestionAndAnswer="true"
              requiresUniqueEmail="true"
              passwordFormat="Hashed" />
          </providers>
        </membership>

    For more details, you could refer to this link:

    How to create a asp.net membership provider hashed password manually?

    One-Way Hashing: Converting and Comparing User Input to the Hashed Value

    Best Regards,

    YongQing.

    Tuesday, February 4, 2020 6:54 AM
  • User753101303 posted

    Could it be that the password is checked for changes? I would try perhaps to change the password to some fixed value and then again to the current clear text password to see if it has an effect.

    Tuesday, February 4, 2020 8:56 AM
  • User-1482891610 posted

    Hi
    I changed the password to something else and it didnt work, so my statement looks like:

    user.ChangePassword("oldpassowrdfromtable", "newvalue")

    But its still storing the old password

    I noticed that  aspnet_Membership table has a field called PasswordSalt.  Is there not an update statement i could write in SQL Server tu update the password field using thsi salt.  Teh salt seems tobe unique for each user.

    Many thanks in advance

    Tuesday, February 4, 2020 11:22 AM
  • User753101303 posted

    still storing

    That is? You are using SqlServerMembership and the password column still shows "newvalue" ? You changed the SqlServerMembership provider conifguration to store hashed passwords rather than clear text password.

    My approach would be spomething such as :
     doing a copy of the user id, password information
     reconfigure the membership provider for hashed password
     used save data to change passwords for existing uses and then password should be stored as hashed value
     once all is fine I would then drop the user/clear password table used by my migration script

    For now it looks like the member ship provider is still configured for clear text password ???

    Tuesday, February 4, 2020 11:37 AM
  • User-1482891610 posted

    Hi Patrice

    I have done exactley as you have suggested but it still doesnt work - i must be missing something.  My web.config setting are below:

    <add name="AspNetSqlMembershipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="DefaultConnectionString"
    enablePasswordRetrieval="false"
    enablePasswordReset="true"
    requiresQuestionAndAnswer="false"
    applicationName="MyApp"
    requiresUniqueEmail="true"
    minRequiredPasswordLength="6"
    minRequiredNonalphanumericCharacters="0"
    passwordFormat="Hashed" 
    maxInvalidPasswordAttempts="10"
    passwordAttemptWindow="10"
    passwordStrengthRegularExpression="" />

    Tuesday, February 4, 2020 12:34 PM
  • User-943250815 posted

    It should work out of the box, and there is no need to change any field.
    Try to just create a new user, check if given user has access, then change password and check again.
    Here is code I use to Change User Password as Admin.
    First I check if user is LockedOut, ChangePassword does not change if user is locked;
    Since as Admin I don´t know old user password, I use ResetPassword as old password in ChangePassword command.

    https://docs.microsoft.com/en-us/dotnet/api/system.web.security.membershipuser.resetpassword?view=netframework-4.8
    ResetPassword = Resets a user's password to a new, automatically generated password.

    Dim User As MembershipUser = Membership.GetUser(UserName)
    If User.IsLockedOut = False Then Dim NewPwd As String = <new password> User.ChangePassword(User.ResetPassword, NewPwd) End If

    Tuesday, February 4, 2020 2:51 PM
  • User-1482891610 posted

    I managed to solve it - the below article has a superb tsql script that does the trick - worked a treat

    https://stackoverflow.com/questions/5033886/generate-asp-net-membership-password-hash-in-pure-t-sql

     

    Tuesday, February 4, 2020 2:58 PM
  • User753101303 posted

    Ah ok. It seems there is a PasswordFormat column that allows to define the password format for each user. And so the membership level configuration is likely just the default for new users. The main thing is updating as well this PasswordFormat column...

    Tuesday, February 4, 2020 3:16 PM