0

I need to send a mail to a umbraco user(member) with a password remind.

I work with umbraco.cms.businesslogic.member.Member class: 

Member member = Member.GetMemberFromLoginName(userName);
string password = member.Password;

But when I look into this password apparently is a "coded"(crypted) password, not the "clear" one..

Is there a way to obtain a "clear" password ?

serge
  • 13,940
  • 35
  • 121
  • 205

2 Answers2

3

Hopefully not.

It is very bad practice to store passwords in a way that allows for them to be recovered.

What you can do instead of "password reminder" is "password reset": Send them an email with a link that allows them to reset their password. Protected by some unique number that expires after a few hours and can only be used once.

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • So what for the "Password" field exists in the Member class? – serge Jan 21 '15 at 09:28
  • 1
    It contains a password hash that can be used to verify if a given password is correct. But not to recover it. – Thilo Jan 21 '15 at 09:28
  • 1
    http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it?lq=1 – Thilo Jan 21 '15 at 09:30
3

The passwords are hashed (and quite possibly salted) during account creation. The website doesn't know what the plaintext password is - it only can compare the hash (one-way cryptographic function, in theory irreversible) of what user inputed into password box with the stored hash.

The "forgot password" should verify owner of the account and send an e-mail with password reset link. Sending plaintext passwords emails is a huge security violation, as users often reuse their passwords on multiple sites, and gaining access to users email would expose password that can be tried on hundreds upon hundreds of different websites/systems.

Gerino
  • 1,943
  • 1
  • 16
  • 21