0

Obviously I cannot provide an email with the link

example.net/changepassword.aspx?email=bob@example.com

So I need

example.com/changepassword.aspx?email=fregrtgethytrhergerg

How can I do this? I assume I need a encryption key? Can I do all of this without creating an additional database table? I know nothing about security.

The closest explanation I have found that might be related to what I want is an article about How to Hash and Salt Passwords in ASP.NET.

TRiG
  • 10,148
  • 7
  • 57
  • 107
punkouter
  • 5,170
  • 15
  • 71
  • 116
  • The link sample is showing how you'd _hash_ (not encrypt) data (e.g. passwords). – EdSF Oct 05 '12 at 14:50
  • @gabrjan : decode md5 ? Is this a joke ? – JYL Oct 05 '12 at 14:51
  • aha.. i thinking im confused about what is hashing vs. encryption.. I need to study up on this... I was thinking it is as simple as being able to go back and forth between the orginal text and some garbled text. – punkouter Oct 05 '12 at 16:10
  • http://weblogs.asp.net/dwahlin/archive/2009/05/21/encrypting-data-in-net-applications.aspx – punkouter Oct 05 '12 at 16:46
  • how about that link? That seems to be what i am thinking of ? – punkouter Oct 05 '12 at 16:47

2 Answers2

3

I assume here that you want to make a "recover lost password page" which sends an email to your user. Is this true?

You don't want to create a new table, but would you be okay creating a new column (or two) in your existing table?

If so, you can add in your existing table a "guid" column and an other column "guidExpirationDate".

When the user asks for new password, create a Guid in table (code: Guid.NewGuid()) and set an expiration date with DateTime.Now.AddMinutes(30), for example.

In your link, provide the Guid instead of the email address. When the page loads, verify that the Guid has not expired, for security reasons.

No need for encryption here.

TRiG
  • 10,148
  • 7
  • 57
  • 107
JYL
  • 8,228
  • 5
  • 39
  • 63
  • 1
    And then expire it, also for security reasons. The reset code should be usable once only. – Peter Taylor Oct 05 '12 at 15:00
  • The data is coming from an external API.. so I would rather not have to create a table... But my high level understanding is if I store a key for ecrypting on the code behind page.. Cant I use that to encrypt and decrypt ? So that way I don't need a new table.. – punkouter Oct 05 '12 at 15:55
  • @punkouter : Problem with encrypting is that you won't have the expiration delay : if you generate a link with the encrypted mail, this link will always be usable. Not very secured. – JYL Oct 06 '12 at 10:22
  • ... Except if you add the day in the encryption key ! That could be the solution. You'll find some questions on SO about encrypting. See this one for example : http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net . – JYL Oct 06 '12 at 10:25
1

You can add a column (VerificationCode) to your table which will contain a unquie value (you can use a GUID).

When a user requests a changed password, generate & update the VerificationCode in the database & use the same in the URL:

example.com/changepassword.aspx?verificationCode=yourUniqueKey
TRiG
  • 10,148
  • 7
  • 57
  • 107
Kapil Khandelwal
  • 15,958
  • 2
  • 45
  • 52
  • Yes.. That is the non encryption way to do it I understand.. create a guid.. send it.. when the user clicks th elink.. match that guid to the user email in a table.. I can do that as well.. I thought it would be easier just to encrypt and decrypt.. maybe not – punkouter Oct 05 '12 at 15:57