0

.NET membership store all password encoded. Like this:

TcsrrZQK9xZw3A4lXTKmeDC5LbJ6sAePCBuAipqnM4M=

I have a requirement from customer, that at user profile system need to show current user password.

Is it somehow possible (i need still have passwords encoded at database for secrity reasons)? Any examples?

Evgeniy Labunskiy
  • 2,012
  • 3
  • 27
  • 45
  • 1
    The customer wanting to see the password for other users is a solution for a problem that should be solved differently. But if you must know, that looks like Base64. – CodeCaster Oct 10 '12 at 11:55
  • @CodeCaster - but what are the bytes behind the Base64? – H H Oct 10 '12 at 12:01
  • 3
    @HenkHolterman I've never used a built-in membership provider, but apparently it hashes the passwords by default (is the Base64 then to store the binary hash in a varchar column?), so luckily they can't be abused this way. I just meant to say that OP should address the real problem, like: _"Some (admin) users in the application should be able to log in as (i.e. impersonate) a different user to perform actions"_, or _"Our users want to be able to retreive their passwords when they forgot them"_, so better solutions can be opted. – CodeCaster Oct 10 '12 at 12:08

3 Answers3

2

The usual/best practice is to use one-way encryption for password storage.

You can only do what you want by using symmetric encryption and overriding the built-in password storage method.

A better solution is to email a temporary password to the user who has to change it on next login. As a very insecure extension you could display this password on the screen.

Good luck

Peter Smith
  • 5,528
  • 8
  • 51
  • 77
1

You can't show the passwords as ASP.net MVC uses one way encryption.

Asif Mushtaq
  • 13,010
  • 3
  • 33
  • 42
1

Yes it is possible.

You will need a custom membership provider with the property:

  EnablePasswordRetrieval = true

This in turn requires a few other settings, like

  PasswordFormat = Encrypted   (normally: Hashed)

I'm not sure whether such a Provider exists but you can write one.

H H
  • 263,252
  • 30
  • 330
  • 514