How? Encrypt and Decrypt user membership passwords in ASP.NET

8
votes

We are creating a new site using ASP.NET membership provider for user registration and log in. Our old system encrypted user passwords so that we could recover them if we needed to.

I am having a great deal of trouble figuring out if it is possible to use ASP.NET membership functions to simply encrypt the password when the user registers and then unencrypt it so I can see it.

Documentation for this is neigh non-existant.

I know how to configure Web.config to have it store passwords as encrypted ala passwordFormat="Encrypted" in the provider and assigning a validationKey in the machineKey, however it seems like the password still gets hashed (though perhaps it is just well encrypted). Either way I cannot decifer how the password can be recovered (by us) if neccessary.

Thanks!

4
asp.netencryptionasp.net-membership

4 Answers

10
votes

Storing passwords in recoverable format is a very poor idea. If you can recover them so can anyone who breaks into your server.

You're better off using a standard hash+salt approach and having a password reset mechanism to handle the case where users forget their password.

5
votes

You need to use passwordFormat="Encrypted" rather than passwordFormat="Hashed". Then you can use the DecryptPassword method of the MembershipProvider to decrypt the password when necessary.

1
votes
Imports System.Web.Security

Public Class PasswordRecovery
    Inherits SqlMembershipProvider

    Public Function GetDecryptedPassword(ByVal password As String) As String
        Try
            Dim _encodedPassword() As Byte = Convert.FromBase64String(password)
            Dim _bytes() As Byte = DecryptPassword(_encodedPassword)
            If _bytes Is Nothing Then
                Return ""
            Else
                Return System.Text.Encoding.Unicode.GetString(_bytes, &H10, _bytes.Length - &H10)
            End If
        Catch ex As Exception
            Throw New Exception("Error decrypting password.", ex)
        End Try
    End Function
End Class
0
votes

I assume you are using the SQLMembershipProvider that MS supplies. If so then why not use the built-in question and answer functionality to allow the user to reset their password. Alternatively (or additionally) reset their password for them and email the new one to them. This way your app can't expose a users password to anyone accidentally.

If you really need to decrypt their passwords then the passwordFormat must be set to "Encrypted". See DecryptPassword for information on decrypting the password. For details on how to configure for decryption see the PasswordFormat, note that it says you must specify the decryptionKey attribute of the machineKey element.