Password need to be decrypted while sending mail

Question

When creating Users the credential of password is getting saved in encrypted format in the Database. Now what I want is,

When user goes for Forgot password option, he needs to fill the email ID and the respective password is sent to his email ID.

The issue is that the password is coming in encrypted format only, Example:-

3ab315c4b788dc6de20ff5f64574501f

Below is my code for sending mail with the username and details

DataSet ds = new DataSet();
        using (SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["DefaultCSRConnection"].ConnectionString))
        {
            conn.Open();
            SqlCommand cmd = new SqlCommand("SELECT username,password FROM tbl_User Where email= '" + txtEmail.Text.Trim() + "'", conn);
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            da.Fill(ds);
            conn.Close();
            if (ds.Tables[0].Rows.Count > 0)
            {
                MailMessage Msg = new MailMessage();
                // Sender e-mail address.
                Msg.From = new MailAddress(txtEmail.Text);
                // Recipient e-mail address.
                Msg.To.Add(txtEmail.Text);
                Msg.Subject = "Password Details";
                Msg.Body = "Hi, <br/>Please check your Login Details<br/><br/>Your Username is: " + ds.Tables[0].Rows[0]["username"] + "<br/><br/>Your Password is: " + ds.Tables[0].Rows[0]["password"] + "<br/><br/>";
                Msg.IsBodyHtml = true;
                // your remote SMTP server IP.
                SmtpClient smtp = new SmtpClient();
                smtp.Host = "smtp.gmail.com";
                smtp.Port = 587;
                smtp.Credentials = new System.Net.NetworkCredential("test@test.com", "********");
                smtp.EnableSsl = true;
                smtp.Send(Msg);
                Msg = null;
                //lbltxt.Text = "Your Password Details Sent to your mail";
                ScriptManager.RegisterStartupScript(this, this.GetType(), "alert", "alert('Your Password Details Sent to your mail');window.location ='Login.aspx';", true);
                // Clear the textbox valuess
                txtEmail.Text = "";
            }
            else
            {
                Response.Write("<script>alert('Email Id you entered does not exist');</script>");
            }
        }

Also see my encrypted code while sending the password in encrypted format. It is MD5 format

private string md5(string sPassword)
    {
        MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
        byte[] bs = System.Text.Encoding.UTF8.GetBytes(sPassword);
        bs = x.ComputeHash(bs);
        System.Text.StringBuilder s = new System.Text.StringBuilder();
        foreach (byte b in bs)
        {
            s.Append(b.ToString("x2").ToLower());
        }
        return s.ToString();
    }

Please guide.

MD5 is a hash function, not an encryption function. Hash functions are not reversible, so it is not possible to convert a user's password hash back into their password (ignoring any weaknesses in MD5, or generic brute-force or dictionary attacks). Any attempt to store your passwords in a recoverable format (e.g. by storing them in a reversibly encrypted form, or worse still, plaintext) **compromises the security of your users**. Being able to send the user their current password via e-mail is not a valid account recovery mechanism and should itself be avoided. — Iridium, Mar 18 '15 at 11:52
@Iridium: So, please tell me the best alternate way. Will be happy to implement that — Nad, Mar 18 '15 at 11:53

score 2 · Accepted Answer · edited May 23 '17 at 12:33

2

Couple problems here worth highlighting.

Your passwords are not encrypted they are hashed.
You are using md5 which is proven to be broken for some time now.

Firstly you should understand the difference between hashing and encrypting

Then you should not use md5 to hash your passwords - I would recommend using ready 3rd party solution for it or doing serious read up on the topic before attempting.

Then when recovering forgotten password I would advice you to re-set it with new one instead of trying to send old one (btw. it's impossible to de-hash password).

Also in ideal world you don't want to send passwords in email, but have a proper mechanism to recover password

edited May 23 '17 at 12:33

Community

1
1

answered Mar 18 '15 at 11:53

user3012759

1,977
19
22

So, what i m doing is, I am saving password as plain text in the database. So that it can be easily retrieved by the end user. Is that OK ?? – Nad Mar 18 '15 at 12:36
2

nope, you never want to store password as plain text in database, hashing is correct (just use something else than md5 for it). I would recommend using proper hash+salt for storing passwords and implementing something like this: http://stackoverflow.com/a/1102817/3012759 . but if you want quick and dirty solution you can just set user password to something randomly generated and update the database record with the new hash and send the randomly generated password to user (this is not recommended though....) – user3012759 Mar 18 '15 at 13:39

Password need to be decrypted while sending mail

1 Answers1