update sqlMembershipProvider password recovery RRS feed

  • Question

  • User-579688761 posted

    I'm trying to update the sqlMembershipProvider to provide a more secure and simpler recovery option. The SQL memebership provider has to be used as we have a database with 1000's of users.

    I trap when failedPasswordAttemps > 3 and then generate a guid (which I store with the username for 24 hours) (this has been tested and works) An email is sent to the user with a link to the site and the guid as a parameter. (this has been tested and works) I then look up the username and id from the link (this has been tested and works) I then use the lookup to try to use aspnet_Membership_SetPassword to reset the password. I use the folowing function to generate hashed and salted password

    Public Shared Function CreateSalt() As String
    Dim rng As New RNGCryptoServiceProvider()
    Dim buff As Byte() = New Byte(31) {}
    Return Convert.ToBase64String(buff)
    End Function
    Public Shared Function CreatePasswordHash(password As String, saltkey As String, 
    Optional passwordFormat As String = "SHA1") As String
    If [String].IsNullOrEmpty(passwordFormat) Then
    passwordFormat = "SHA1"
    End If
    Dim saltAndPassword As String = [String].Concat(password, saltkey) Dim hashedPassword As String = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPassword, passwordFormat) Return hashedPassword End Function


            Dim salt As String = Tools.CreateSalt()
            Dim hash As String = Tools.CreatePasswordHash(password, salt)

    ret = mdb.aspnet_Membership_SetPassword("/", sUserName, hash, salt, DateTime.Now(), 1)

    to reset - it fails - I discovered the trap of clear password storage but I think there is something wrong with how I'm generating the hash and salt. Help appreciated as this seems a secure and elegant way of resetting forgotten passwords.

    Friday, October 31, 2014 12:53 PM

All replies