Decrypt user password in ASP.Net SqlMembershipProvider

As hashing is a one-way operation, then any code which attempts to decrypt the user's password will fail. On occasion such code can exist for legitimate purposes such as validating if the user is providing their current password, however this cannot be supported in 7.1.0 and above. Nov 25, 2017  Here I’m going to assume we are talking about a password in storage in a database, not one in transit which comes down to how to intercept any encrypted information in transit. The first actual question is the password encrypted or hashed, there i.

In this post I will discuss decoding of encrypted passwords in ASP.Net SqlMembershipProvider table. Thisdiscussion will help answer to questions as follows:

• How to decrypt passwords stored database created by SqlMembershipProvider?
• How to decrypt passwords in DNN (Dotnetnuke)?
• How to extend a memebership provider object?
• And more questions related to ASP.Net membership provoider using Sql database..

If you are using Microsoft provider SqlMembershipProvider in DNN or any other ASP.Net application,look in the database and you will find a table aspnet_Membership. This is wherepasswords are stored. Depending on how you configured your membership provider, these passwordsmay already be in clear text. This behavior is controlled by an attribute in definition ofmembership provider in config file of your application.

There is PasswordFormat field in the database table as well. That means handlingof password values depends very heavily of this value. If your passwords are encrypted, thenthe value of this field is set to 2.

Algorithm for encrypt and decrypt of password

Next you need to know what algorithm and key is used to encrypt and decrypt the password. Defaultimplementation of Membership provider picks up these values from machineKeysettings from your config file. So in your config file under system.web youwill notice an entry like:

This is where your algorithm and keys are defined. And this is what default implementation ofSqlMembershipProvider uses.

How to decrypt password?

MembershipProvider class has DecryptPassword and EncryptPassword methods that are used by SqlMembershipProvider. When I started researching this topic, I found suggestions oncreating a new class that inherits from MembershipProvider class and then call DecryptPasswordmethod to do the job. Well I did try that approach and it did not work. I always ended up with followingexception.

After looking through the code in reflector, I saw that Microsoft providers decrypts in two steps.The encrypted password is actually a Base64 conversion of encrypted data. So first it converts itback from Base64 and then calls DecryptPassword method. I just did the easiest thing. Copied the codefrom Microsoft implementation, removed all the checks it was doing and then used it. Followingclass is an example of a class derived form SqlMembershipProvider with a method that justreturns me password in clear text for a given encrypted password.

Configuration of your recovery application

If you are putting this password decryption code in a separate application, then you have toensure the following things.

• Create machineKey section in your configuration file under system.web section.It does not matter if you are creating a web application or console application, you alwayshave a application configuration file you can create this entry.
• You do not have to add an entry for SqlMembershipProvider in configuration file for recoveryof the password. But it is good idea to that you copy the same settings from web application intoyour password decryption application as well.

Here is how app.config file looks in my sample console application. You cansee that I do not need a web application to include system.web section in my consoleapplication.

Weather

There are three password formats in DNN. Clear; Hashed; Encrypted; The PassworFormat property indicates how password is stored in database. Clear indicates that password is stored in plain text. No encryption is done. Hashed passwords are hashed using one way hashing algorithm. It means once the data is encrypted, you can not decrypt it. Encrypted password are encrypted and stored in database. These passwords can also be decrypted. How does DotNetNuke Hash Its Passwords? DNN uses the SqlMembershipProvider class. You can use that to decrypt the password.

Browse Categories Knowledge Essentials - 3Essentials Hosting Reset DNN host password Article ID: 376 How do I reset my DotNetNuke host 'superuser' password? If you lost the password of the host 'superuser' account (and you cannot request the host password by email), the following solution will help: For DNN 3 and DNN 4 installations: Please note, that you need direct access to the database: 1. Go to Register a new user on your DotNetNuke Site.

If 'Register' is not displayed for the portal, go to table 'Portals' in your database and enter value '2' into column 'UserRegistration'. Create a new user account by registration (please remember the password you enter!) 3. Go to database, and find and enter the table 'ASPNet_Membership' 4. Go to new user account (usually the last one) and copy the encrypted values of columns 'Password' and 'PasswordSalt' into the same columns of user account 'host' (usually the first entry in this table) 5. Login as user 'host' using the new password and delete the newly created other user.

For DNN 5 or DNN 6 installations: Note: This soultion is from the Twentytech.net blog: It is possible to recover your DNN host password if you have access to upload files to the site. This can be done either via FTP or through the Plesk file manager. You should place this into a new.aspx file that you upload to the DNN root directory, perhaps naming it something like recoverpassword.aspx. Now visit that page on the site with your browser. It should show you your DNN host password. IMPORTANT NOTE: YOU MUST REMOVE THIS FILE FROM YOUR SITE! If you don't, then other people will be able to easily access your host password.

Coleman powermate 5000 generator. DescriptionThe Champion Power Equipment 1-Watt Portable Generator is the perfect combination of versatility and convenience.

Recently I needed to decrypt a DotNetNuke password for a website I manage. After looking around the internet and using bits and pieces of code and tips I.

This solution does not work on all DNN 5.x, 6. Linksys Wrt54gc Ver 2.0 Firmware Update. x and 7.x versions. If you find it does not work on your DNN installation, use the steps outlined for DNN 3 and 4 installations, which should work on all versions (they are just slightly more complicated). Downloads Associated With This Article No downloads are currently associated with this article.