Password Encrytion Process

Rate this topic:

Please Register to post a reply.

Another benefit of registration is the ability to subscribe to and recieve notifications of new posts.

Author

Messages

Tigris
Posts:25

08/28/2007 9:21 AM
Hi John, I wonder if you can clarify for me how the password retrieval/decryption process works. Could you outline for me what functions/stored procedures are called when a user requests a password reminder and receives the decrypted password ? In other words, how does the password get decrypted? I tried to follow the logic in the 'SendPassword.ascx.vb' control, but the meat of what I see is line 238: objUser.Membership.Password = UserController.GetPassword(objUser, txtAnswer.Text) I assume this calls SP aspnet_Membership_GetPassword, which seems to return a password in both decrypted and unencrypted from, depending on what format it is stored in. WHERE is the part where an encrypted password gets decrypted and sent to the user?

John Mitchell
Posts:3040

08/28/2007 9:58 AM
The Password is not actually decrypted until it gets back to the application. Where it actually does the decryption is in the "Black Box" called the membership component which is now part of the ASP.Net framework. System.Web.Security.MembershipUser is the class. This class is "plugged in" as the Membership provider for DotNetNuke by declaring it in the Web.config. The component in DNN that calls the interal asp.net membership class is the UserController which is what you see being used in the SendPassword function. So, calling the UserController.GetPassword function is the place where the DNN application gets the decrypted password. Are you trying to decrypt the passwords of several users at one time? If so, then you just need to create a loop that passes a userinfo object for each user into the UserController.GetPassword function.

Tigris
Posts:25

08/28/2007 10:10 AM
Ultimately, what I am trying to do is pass in a username and a custom profile value which together uniquely identify a user, and with that username, retrieve the user's password, so that I can next auto-authenticate the user. It looks like in order to authenticate a user, I need the password. When I run the stored procedure, aspnet_Membership_GetPassword, it returns a password in either encrypted or decrypted form, depending on what format it is stored in. If it is encrypted, I am assuming that any attempt to auto-authenticate will fail. Thus, I am trying to figure out how I can get the decrypted value of a password in my code.

Tigris
Posts:25

08/28/2007 10:37 AM
After looking at the GetPassword() method in System.Web.Security.MembershipUser, I will try to get the user u with the username, and then try something like u.GetPassword() and see what happens.

John Mitchell
Posts:3040

08/28/2007 10:52 AM
That should work. Be careful if you are trying to work around the built-in validation methods though. You may open up a security hole.

Tigris
Posts:25

08/28/2007 10:57 AM
Ok, thanks John. I do have one more question related to this topic. Some time ago I followed your suggestion at http://blogs.snapsis.com/PermaLink,guid,c9d3082b-d7b1-4dfb-8c9c-67c0e864964d.aspx and imported a bunch of users from an Access database into the portal database. Before following the process I wrote a script to create randomized passwords for each user, included these passwords in the xml, thereby adding it to the oUserInfo, and thus when each user was created, they each had a password assigned. When I look at the aspnet_membership table, these initial passwords are all stored in an encrypted form, which is great. If I request a password reminder for one of these users, I receive an email with the password value decrypted. Cool, this is all how it should be. Now, if I log in as an admin, browse to a user profile and reset the password, I can now find it in an UNENCRYPTED from in table aspnet_membership. Why was it not encrypted?

John Mitchell
Posts:3040

08/28/2007 11:16 AM
That's a good question. I didn't know it worked that way. I would expect it to be encrypted too. Does the Password Format field change? I'll have to check it out.

Tigris
Posts:25

08/28/2007 11:37 AM
I think the password fromat is determined by the web.config file < addname="AspNetSqlMembershipProvider"type="System.Web.Security.SqlMembershipProvider"connectionStringName="SiteSqlServer"enablePasswordRetrieval="true"enablePasswordReset="true"requiresQuestionAndAnswer="false"minRequiredPasswordLength="3"minRequiredNonalphanumericCharacters="0"requiresUniqueEmail="false"passwordFormat="Encrypted"applicationName="DotNetNuke"description="Stores and retrieves membership data from the local Microsoft SQL Server database" /> Maybe because I updated the password directly with the database's stored procedure, it bypassed the BlackBox you were talking about, and thus it was not encrypted.... that must be the reason. I should have written a script that creted a user object first, and then called its CahngePassword() function. Sound reasonable?

John Mitchell
Posts:3040

08/28/2007 11:43 AM
You are correct, the format is set in the web.config file. I thought you had it on encrypted and then used a DNN function to reset the user's password. Yes, calling ChangePassword on the User is the way you should do this.

Tigris
Posts:25

08/28/2007 12:06 PM
Crap, sorry... I confused myself. If I login as host, go to UserAccounts, select a user and change the password, it is indeed stored as cleartext in the aspnet_Membership table. If I then login as the user and change the password as the user, it again is stored in clear text. And yes, the PasswordFormat field in aspnet_Membership has changed from a 2 to a 0

John Mitchell
Posts:3040

08/28/2007 12:11 PM
That's bad. You should report it as a bug in Gemini at http://support.dotnetnuke.com

Please Register to post a reply.

Another benefit of registration is the ability to subscribe to and recieve notifications of new posts.