Password Retrieval
I am running Sitefinity 4.0 RC and am trying to retrieve a given user's password in order to send it to him/her in an email. To do this, I ask the user for his/her username and access the password via the following function:
public static string GetPassword(string username)
UserManager userMan = new UserManager();
User user = userMan.GetUser(username);
string newPassword = user.ResetPassword();
userMan.SaveChanges();
return newPassword;
<
membershipProviders
>
<
add
requiresUniqueEmail
=
"false"
enablePasswordRetrieval
=
"true"
name
=
"Default"
/>
</
membershipProviders
>
Hi Ann,
If the membership provider supports hashed passwords, the GetPassword method throws an exception if the EnablePasswordRetrieval property is set to true and the password format is set to Hashed. Hashed passwords cannot be retrieved. The passwordFormat should be set to Clear.
Greetings,
Ivan Dimitrov
the Telerik team
How do we set it up to store encrypted passwords (not hashed) and allow them to be decrypted for retrieval? We're migrating from DNN and this is how it works in that system. Would prefer not to store them in clear text.
Hi Matt,
You can control the password format from the configurations.
Regards,
Ivan Dimitrov
the Telerik team
Thanks, Ivan.
Hi Matt,
Passwords can be stored in Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval but is less secure, as passwords are easily read if your data source is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure, as passwords are not easily determined if the data source is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.
Greetings,
Ivan Dimitrov
the Telerik team
Ivan,
Hi Matt,
You can get user's password using the code below
string
password =
null
;
string
answer =
null
;
string
provider =
"Default"
string
username =
"myuser"
;
UserManager manager = UserManager.GetManager(provider);
var user = manager.GetUser(username);
password = manager.GetPassword(username, answer);
Hi,
I am trying to use the same code but am getting the following error:
Invalid length for a Base-64 char array.
Thanks
Hello Bart,
It is possible that something goes wrong when we try to decode the password.
1. What is the password format you use
2. Can you send the full stack, so we can see which method is called.
All the best,
Ivan Dimitrov
the Telerik team
Hi,
We use encrypted password, I think the problem is that our password answers is not being encrypted for some reason.
Is there some way to enable encryption on password answers?
Thanks
Hi Bart,
We know about this issue and it is logged in our system for fixing after Sitefinity 4.1(q1) release.
Regards,
Ivan Dimitrov
the Telerik team
Hi Ivan
Did you fix this issue that Bart described ?
I am on Sitefinity 6.3 and changed my password settings as follow :
1. Changed password format to "Encrypted"
2. Set Password retrieval to "true"
3. Set Password question to "true"
I've registered a user after I've made these changes but still I get the error below:
My code looks like this :
MembershipUser user = Membership.GetUser( brokerCode );
string password = user.GetPassword( securityAnswer );
Then I get an error saying:
Number was less than the array's lower bound in the first dimension.
Parameter name: srcIndex
Stacktrace:
at DynamicModule.ns.Wrapped_OpenAccessMembershipProvider_38d1758378f74f6eaf5757b594dff772.GetPassword(String userName, String answer)
at Telerik.Sitefinity.Security.Data.SitefinityMembershipProvider.GetPassword(String username, String answer)
at System.Web.Security.MembershipUser.GetPassword(String passwordAnswer)
at Medihelp.Broker.Toolbox.Widgets.ForgotPassword.ResetPassword(String action, String brokerCode, String securityQuestion, String securityAnswer) in c:\Projects\Medihelp-Broker-Toolbox\Medihelp-Broker-Toolbox-SF6Demo\Medihelp.BrokerToolbox.Web\Controls\Login\ForgotPassword.ascx.cs:line 65
EDIT:
I noted that the security answer is still clear text, not sure if it should be like that?
http://i.imgur.com/wnYLmB9.png
Kind Regards
Gerrit