You have the option to HASH your passwords (which is irreversible - you cannot retrieve the original password). If you use hashing, any password given by the user will be hashed and compared to the stored hash to determine if it was correct or not. In short: there is no way back from a hash to the original password.
If you use ENCRYPTION, the password is -well- encrypted which means it IS possible to decrypt the password to the original if you have a secret key to do so.
Both umbraco (AFAIK version 4.0.2.1 up to 4.11.1) and the default ASP.NET membershipproviders use this mechanism. Which one you choose depends on what you set in the web.config:
You DO need both if you want this change for both the users and the members.
Remember that after this change, all your stored passwords are gibberish to the system and need to be reset. In the example I used it for both (clear text passwords are EVIL). This means that when I used the above settings, all my passwords were messed up.
The way to do this:
Log into umbraco BEFORE making this change (or revert to the old settings). Leave this window open or you're in pain.
Change the web.config
Change the admin password in the window you left open. You can still to this.
how can I decrypt the password
thx
following API doesn't work for me:
public string UnEncodePassword(string encodedPassword)
{
string password = encodedPassword;
switch (PasswordFormat)
{
case MembershipPasswordFormat.Clear:
break;
case MembershipPasswordFormat.Encrypted:
password = Encoding.Unicode.GetString(DecryptPassword(Convert.FromBase64String(password)));
break;
case MembershipPasswordFormat.Hashed:
throw new ProviderException("Cannot unencode a hashed password.");
default:
throw new ProviderException("Unsupported password format.");
}
return password;
}
http://www.koders.com/csharp/fidCA0761B28F4418A9FE92430A833D50C2637E1D20.aspx?s=login
I don't believe you can.
The psaswords are encrypted, and I think you can only check to see if a password matches what is stored as encrypted.
Of course I could be wrong.
What is it that you are trying to achieve?
but what does following mean in the UmbracoMembershipProvider?
enablePasswordRetrieval="true"
I believe that is related to the ASP membership provider.
It would enable a user to retrieve their own password (or more likely reset) using standard ASP methods
my question is simple: would it be possible to retrieve clear text password?
I don't believe it is.
Well, at least I hope it is not. Kind of goes against the whole idea of security.
Actually, it depends.
You have the option to HASH your passwords (which is irreversible - you cannot retrieve the original password). If you use hashing, any password given by the user will be hashed and compared to the stored hash to determine if it was correct or not. In short: there is no way back from a hash to the original password.
If you use ENCRYPTION, the password is -well- encrypted which means it IS possible to decrypt the password to the original if you have a secret key to do so.
Both umbraco (AFAIK version 4.0.2.1 up to 4.11.1) and the default ASP.NET membershipproviders use this mechanism.
Which one you choose depends on what you set in the web.config:
<membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="true" RequiresUniqueEmail="false" enablePasswordReset="true" passwordFormat="encrypted" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Aangemeld" />
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordFormat="encrypted" />
</providers>
</membership>
I am not sure if both are needed.
You put this stuff in the system.web element of your web.config.
In this case, where can I find the secret key to use in my decryption function?
Oh and:
In the example I used it for both (clear text passwords are EVIL). This means that when I used the above settings, all my passwords were messed up.
The way to do this:
Otherwise, you will be locked out.
is working on a reply...