Password Retrieval

Posted by Community Admin on 03-Aug-2018 20:12

Password Retrieval

All Replies

Posted by Community Admin on 08-Dec-2010 00:00

I am running Sitefinity 4.0 RC and am trying to retrieve a given user's password in order to send it to him/her in an email.  To do this, I ask the user for his/her username and access the password via the following function:

public static string GetPassword(string username)
    
        UserManager userMan = new UserManager();
        User user = userMan.GetUser(username);
        string newPassword = user.ResetPassword();
        userMan.SaveChanges();
        return newPassword;
    


I receive the following error:
"System.Configuration.Provider.ProviderException: Cannot retrieve Hashed passwords."

I have enabled password retrieval in my SecurityConfig.config as follows, but I still get the above error.
<membershipProviders>
    <add requiresUniqueEmail="false" enablePasswordRetrieval="true" name="Default" />
</membershipProviders>

How can I retrieve hashed passwords stored in Sitefinity?
Thanks,
Ann

Posted by Community Admin on 08-Dec-2010 00:00

Hi Ann,

If the membership provider supports hashed passwords, the GetPassword method throws an exception if the EnablePasswordRetrieval property is set to true and the password format is set to Hashed. Hashed passwords cannot be retrieved. The passwordFormat should be set to Clear.

Greetings,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 09-Dec-2010 00:00

How do we set it up to store encrypted passwords (not hashed) and allow them to be decrypted for retrieval?  We're migrating from DNN and this is how it works in that system.  Would prefer not to store them in clear text.


Thanks,
Matt

Posted by Community Admin on 10-Dec-2010 00:00

Hi Matt,

You can control the password format from the configurations.

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 10-Dec-2010 00:00

Thanks, Ivan.

What are the possible values for the password format?

Thanks,
Matt

Posted by Community Admin on 10-Dec-2010 00:00

Hi Matt,

Passwords can be stored in Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval but is less secure, as passwords are easily read if your data source is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure, as passwords are not easily determined if the data source is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.

Greetings,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 12-Dec-2010 00:00

Ivan,

I set the password format to Encrypted, and signed up a new user.  Looks like it stored the encrypted password correctly with a format ID of 2.  However, when I try to retrieve the password I get the following error:

System.OverflowException: Arithmetic operation resulted in an overflow.
   at DynamicModule.ns.Wrapped_OpenAccessMembershipProvider_9ee0e21817884858997d8d536daf610d.GetPassword(String userName, String answer)

At first I had the machine key defined in the web.config and it gave me a different error.  I took this out for now in case that was part of the problem, but I'll need to put that back in eventually if I can figure out how to get it to play nice with sitefinity.  Here's the error I got with the machine key:

System.Security.Cryptography.CryptographicException: Length of the data to decrypt is invalid.
   at DynamicModule.ns.Wrapped_OpenAccessMembershipProvider_d0d57eda070047bd83c56c4b6f382af3.GetPassword(String userName, String answer)

Can you tell me if the password decryption actually works in the current build, and if there's something special I need to do to make it work for me?

Thanks,
Matt

Posted by Community Admin on 13-Dec-2010 00:00

Hi Matt,

You can get user's password using the code below

string password = null;
string  answer = null;
string provider = "Default"
string username = "myuser";
UserManager manager = UserManager.GetManager(provider);
var user = manager.GetUser(username);
 
password = manager.GetPassword(username, answer);

Note that this will work for the users which have been created after you have set PasswordFormat to "Encrypted".

Best wishes,
Ivan Dimitrov
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 31-Mar-2011 00:00

Hi,

I am trying to use the same code but am getting the following error:
Invalid length for a Base-64 char array.

Thanks

Posted by Community Admin on 04-Apr-2011 00:00

Hello Bart,

It is possible that something goes wrong when we try to decode the password.

1. What is the password format you use

2. Can you send the full stack, so we can see which method is called.

All the best,
Ivan Dimitrov
the Telerik team


Posted by Community Admin on 04-Apr-2011 00:00

Hi,

We use encrypted password, I think the problem is that our password answers is not being encrypted for some reason.
Is there some way to enable encryption on password answers?

Thanks

Posted by Community Admin on 08-Apr-2011 00:00

Hi Bart,

We know about this issue and it is logged in our system for fixing after Sitefinity 4.1(q1) release.

Regards,
Ivan Dimitrov
the Telerik team


Posted by Community Admin on 22-Apr-2014 00:00

Hi Ivan

 Did you fix this issue that Bart described ?

I am on Sitefinity 6.3 and changed my password settings as follow :

1. Changed password format to "Encrypted"

2. Set Password retrieval to "true"

3. Set Password question to "true"

 I've registered a user after I've made these changes but still I get the error below:

My code looks like this :

MembershipUser user = Membership.GetUser( brokerCode );

string password = user.GetPassword( securityAnswer );

 

Then I get an error saying:

Number was less than the array's lower bound in the first dimension.
Parameter name: srcIndex

 

Stacktrace:

   at DynamicModule.ns.Wrapped_OpenAccessMembershipProvider_38d1758378f74f6eaf5757b594dff772.GetPassword(String userName, String answer)
   at Telerik.Sitefinity.Security.Data.SitefinityMembershipProvider.GetPassword(String username, String answer)
   at System.Web.Security.MembershipUser.GetPassword(String passwordAnswer)
   at Medihelp.Broker.Toolbox.Widgets.ForgotPassword.ResetPassword(String action, String brokerCode, String securityQuestion, String securityAnswer) in c:\Projects\Medihelp-Broker-Toolbox\Medihelp-Broker-Toolbox-SF6Demo\Medihelp.BrokerToolbox.Web\Controls\Login\ForgotPassword.ascx.cs:line 65

EDIT:

I noted that the security answer is still clear text, not sure if it should be like that?

http://i.imgur.com/wnYLmB9.png
 

 

Kind Regards

Gerrit

 

 

 

This thread is closed