aspnet_membership Membership Passwords Decryption

Question

User951610054 posted

Hi guys,

Is it possible to decrypt or view userids and passwords that are stored in encrypted format in the aspnet_membership table? Is so, could you please let me know how?

Many thanks,

Zee

Answer 1

User961349301 posted

If you use the MembershipUser class GetPassword method, you can get an encrypted password.

Edit: But you need to know the user's passwordAnswer if you have enabled the password answer feature.

The reason why encryption is possible is for example to make sure and make it fair for the users that no one can't see what password they use, not even you.. and the user can only change the password. If you want to see the password, don't use encryption.. but I don't think a user would like to store a password that can be readable by others, at least I shouldn't ;)

Answer 2

User951610054 posted

Thanks Fredrik,

Is there no way to keep the encryption yet have some method that could decrypt the strings? Scenarios like customer services, I think it would be useful for a customer services representative to have a bird's eye view of customer information like login details (which are encrypted) and address etc. Therefore, I'm trying to come up with a page that input's userid and returns back all details taken at the time of registration (password, secret question/answer, email address etc.).

Any thoughts on this?

Answer 3

User961349301 posted

You can get the password if you know the answer to the password.. In that case you can use the Membership.GetPassword method. If you have disabled the question/answer, you don't need to provide with the answer. But if the customer service should send the customers information with a password, the information is not encrypted, and do your need to have it encrypted in that case, I mean, if the Customer service can get the password, almost everyone that have access to the data source can get it (but I think you have protected the data source in a good way, so only some users have access to it).<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

One solution I use when I store password, is to encrypt it (even hash it to not make it possible to decrypt the password). I only do this so the customer can be safe and know that no one (then I mean no one) can get the password they enter. Instead they need to request a new e-mail, and in that case I reset the old password and give them a new one (they will have the possibility to change this password of course). If I want the customers to be able to get the password they entered (for example they forgot what password they use), I should use encryption and the PasswordRecovery control shipped with ASP.Net 2.0 (In that case, I can't see the password, but the customers can get it with an e-mail etc).<o:p></o:p>

The following solution that can work to encrypt the password, if you create your own MembershipProvider, you can add your own method to un-encode a password. This method can make a call to the DecryptPassword (a protected method located in the MembershipProvider class) . Make sure to pass the password from the database by first calling the Convert.FromBase64String, for example:<o:p></o:p>

byte[] encodedPassword = Convert.FromBase64String(pass);
byte[] bytes = this.DecryptPassword(encodedPassword);<o:p></o:p>

Then you can call the Encoding.Unicode.GetString method if you need to do that for your password..<o:p></o:p>

Note: I haven't tried this, but it maybe work..

Answer 4

User951610054 posted

Thanks once again mate.

I'll try giving Membership Provider a shot.

rgds

zee