Click here to Skip to main content
15,890,947 members
Search within:


decrypting aspnet-membership password
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
ASP.NET
Hi,

I am trying to decrypt my password stored in aspnet_membership table...

I am using the following code,
VB
Dim encodedPassword() As Byte = Convert.FromBase64String(password)
Dim decryptedPassword() As Byte = MyBase.DecryptPassword(encodedPassword)
If (decryptedPassword IsNot Nothing) Then
  Return System.Text.Encoding.UTF8.GetString(decryptedPassword, 0, decryptedPassword.Length)
End If

but at the line of DecryptPassword(encodedPassword) it shows error as
"Length of the data to decrypt is invalid."

Can Anyone help me to fix it please...
Posted
Updated 11-Jan-12 20:44pm
v2
Add a Solution
Comments
Prerak Patel 12-Jan-12 3:34am    
Can you show what is the value in password?

4 solutions

I agree with Kieth's solution. In addition to this I would suggest that you should not decrypt the password when you are using asp.net built in membership provider. Rather , when you want to compare the password entered by the user and the encrypted( hashed) password stored in the database, you should read the password entered by the user, then encrypt it and compare it with the password from the database for equality.
 
Share this answer
 
Posted
Updated 12-Jan-12 4:35am
v2
Comments
fjdiewornncalwe 12-Jan-12 10:08am    
+5. Exactly why the hashed values are saved like this.
check this blog
http://forums.asp.net/p/1091709/1638361.aspx[^]
--NDK
 
Share this answer
 
Posted
Assuming the you haven't done anything to the normal mechanism (i.e. you are using the SqlMembershipProvider) when storing the password what you are doing can't work. Theoretically you can't get the password back as it is Hashed rather than encrypted.

Encryption is a two way algorith: if you know the relevant key(s) you can get the value back.

Hashing is different: The algorithm produces a value that is always the same for a given input and key, but the value cannot be recovered from a hash even if you have the key. Technically the value you are trying to decrypt is a salted hash - the salt prevents someone querying the tables from finding groups of people with the same password (which produce the same hashes) by prepending the password with random a salt. Without the salt it is easy for hackers to see who are using commonly used passwords by comparing the unsalted hashes.


You really have only three options:

1. Give up on this entirely - this might be a valid option depending on what it is you need exactly.
2. Replace or subclass the default provider
3. Use one of the built-in mechanisms to reset the password if this is what you want to acheive, see: http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs[^]


[Edit in response to Arasu Rajendran's comments]First, having a decryptable password represents a security risk, so I'd recommend [salted] hashing - this is why Microsoft use it in their provider.
No matter whether you choose to continue to Hash or not, you don't need to decrypt the password to change it (effectively what you are describing in your comment). Instances of the MembershipProvider have a reset password method which takes the current password and the new one. It is good security to check the person resetting the password knows the "old" one when supplying the new, if you are using an encrypted one you can encrypt the supplied one against the encrypted version in the backing store. If you did not take the old password, someone in an Internet cafe might log in, and leave the site without ending the session, the next user could then go to the login page and supply the new password without knowing the old.

The provider model allows a user to answer a secret question if they do not know their current password, you could do something similar for your code without needing to decrypt the password.

Finally, I strongly suggest you read this: http://forums.devshed.com/security-and-cryptography-17/password-encryption-vs-hashing-398845.html[^] which has a good discussion of the differences, and security comparison, between hashing and encryption.
 
Share this answer
 
Posted
Updated 12-Jan-12 2:32am
v4
Comments
Arasu Rajendran 12-Jan-12 7:01am    
No....I do want exactly the same function in the above code which i posted...i am using "encrypted" in web.config not using hashed...my user want to edit their password like any other field thats wat i am trying to do.....is there any solution for that.....?
Keith Barrow 12-Jan-12 8:34am    
I've updated my answer, as it is too long for a comment. I should also add, I think the security question is only a good idead for sites where security is less of a consideration.
fjdiewornncalwe 12-Jan-12 10:07am    
+5. Excellent.
Hi, If you are using aspnet membership and need to get the password in plain text,
please refer to this article that provides the solution
http://www.byteblocks.com/post/2011/05/03/Decrypt-password-in-SqlMembershipProvider.aspx[^]
 
Share this answer
 
Posted
Comments
CHill60 28-May-14 9:46am    
You're two and a half years late with this
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
decryption of md5 password
encrypt and decrypt password
Decrypt/Encrypt of the password
decrypt sha256 password
Decryption of Encrypted Password
Decrypt Password in Membership
Decryption of password (md5)
UDF2 Password decryption
Decrypt file encrypted with gnupg
password decrypt and encrypt

Advertise
Privacy
Cookies
Terms of Use
Last Updated 28 May 2014
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900