0

Our module has retrieve password functionality so that if a user has forgotten the password he may retrieve it and the system will send it via email. We are using SimpleMembership on MVC4. I checked the WebSecurity class but it has no "GetPassword" method. I tried to search the net and instead I found this implementation.

var user = System.Web.Security.Membership.GetUser(userName);
password = user.GetPassword();

I got error on GetPassword saying "Specified method is not supported.". I also added the following in my web.config but I still got the error mentioned even though the user object has value.

<membership defaultProvider="simple">
 <providers>
 <clear />
<add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider,WebMatrix.WebData"
enablePasswordRetrieval="true" 
enablePasswordReset="true" requiresQuestionAndAnswer="false"/>
 </providers>
...

Is there other ways to retrieve simple membership password of a user? I can query on webpages_Membership table but the password is encrypted. Anyone knows decryption algorithm for this? I tried FormsAuthentication.Decrypt(encryptedpassword); but I got error "Invalid value for 'encryptedTicket' parameter." although that password passed is encrypted.

Please help.

Jobert Enamno
  • 4,403
  • 8
  • 41
  • 63
  • Just a suggestion, I think it's better to just send them an email that would allow them to change/reset their old password rather than showing their old password. – WannaCSharp Oct 18 '13 at 02:50
  • @WannaCSharp that's other module and we have that too. Our project has two modules related to password. 1. Forgot password which is emailing of forgotten password. 2. Reset password which allows the user to reset his password. – Jobert Enamno Oct 18 '13 at 02:54
  • I don't think there's a way to retrieve the password in plaintext with SimpleMembership, since it's using a one way hash for encrypting passwords. – WannaCSharp Oct 18 '13 at 03:09
  • @WannaCSharp I've seen this post. http://stackoverflow.com/questions/14985003/what-encryption-does-mvc4-use See the answer of Giorgio Minardi. – Jobert Enamno Oct 18 '13 at 03:17
  • The password is not encrypted. It's hashed. There's a pretty big difference between the two. You cannot retrieve the password in plain text. You will have to reset the password instead if the user forgot it. – Darin Dimitrov Oct 18 '13 at 07:38

1 Answers1

2

There is absolutely no way to do what you are proposing, getting the plain text password, from the webmatrix security implenetation. The password is salted and hashed, you cannot reverse this to get the plain text password and this is a good thing.

The webmatrix provider does supply all the functions you need to support creating a password reset token that can be sent to a registered email addres, rather than sending passwords in plain text.

AlexC
  • 10,676
  • 4
  • 37
  • 55
  • Let's add that it's a general principle not being able to get the cleartext password back for _any_ secure authentication system (not only ASP.NET SimpleMembershipProvider). – Csaba Toth Jun 05 '14 at 00:42