Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • wolf11th 7 posts 27 karma points
    Aug 28, 2012 @ 05:14
    wolf11th
    0

    how can I decrypt the password

    thx

    following API doesn't work for me:

    public string UnEncodePassword(string encodedPassword)
    {
    string password = encodedPassword;
    switch (PasswordFormat)
    {
    case MembershipPasswordFormat.Clear:
    break;
    case MembershipPasswordFormat.Encrypted:
    password = Encoding.Unicode.GetString(DecryptPassword(Convert.FromBase64String(password)));
    break;
    case MembershipPasswordFormat.Hashed:
    throw new ProviderException("Cannot unencode a hashed password.");
    default:
    throw new ProviderException("Unsupported password format.");
    }
    return password;
    }

     

     

    http://www.koders.com/csharp/fidCA0761B28F4418A9FE92430A833D50C2637E1D20.aspx?s=login

     

  • Cameron 23 posts 42 karma points
    Aug 28, 2012 @ 05:32
    Cameron
    0

    I don't believe you can.

    The psaswords are encrypted, and I think you can only check to see if a password matches what is stored as encrypted.

     

    Of course I could be wrong.

     

    What is it that you are trying to achieve?

  • wolf11th 7 posts 27 karma points
    Aug 28, 2012 @ 07:43
    wolf11th
    0

    but what does following mean in the UmbracoMembershipProvider?

     

    enablePasswordRetrieval="true"

  • Cameron 23 posts 42 karma points
    Aug 28, 2012 @ 08:18
    Cameron
    0

    I believe that is related to the ASP membership provider.

    It would enable a user to retrieve their own password (or more likely reset) using standard ASP methods

  • wolf11th 7 posts 27 karma points
    Aug 28, 2012 @ 08:30
    wolf11th
    0

    my question is simple: would it be possible to retrieve clear text password?

  • Cameron 23 posts 42 karma points
    Aug 28, 2012 @ 09:00
    Cameron
    0

    I don't believe it is.

    Well, at least I hope it is not. Kind of goes against the whole idea of security.

  • DetonatorB 17 posts 40 karma points
    Jan 04, 2013 @ 13:58
    DetonatorB
    0

    Actually, it depends.

    You have the option to HASH your passwords (which is irreversible - you cannot retrieve the original password). If you use hashing, any password given by the user will be hashed and compared to the stored hash to determine if it was correct or not. In short: there is no way back from a hash to the original password.

    If you use ENCRYPTION, the password is -well- encrypted which means it IS possible to decrypt the password to the original if you have a secret key to do so.

    Both umbraco (AFAIK version 4.0.2.1 up to 4.11.1) and the default ASP.NET membershipproviders use this mechanism.
    Which one you choose depends on what you set in the web.config:

    <membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
          <providers>
            <clear />       
            <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="true" RequiresUniqueEmail="false" enablePasswordReset="true" passwordFormat="encrypted" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Aangemeld" />
            <add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordFormat="encrypted"  />
          </providers>
        </membership>

     

    I am not sure if both are needed.
    You put this stuff in the system.web element of your web.config.

  • Richard Browne 2 posts 72 karma points
    Jun 13, 2016 @ 15:52
    Richard Browne
    0

    In this case, where can I find the secret key to use in my decryption function?

  • DetonatorB 17 posts 40 karma points
    Jan 04, 2013 @ 14:03
    DetonatorB
    0

    Oh and:

    • You DO need both if you want this change for both the users and the members.
    • Remember that after this change, all your stored passwords are gibberish to the system and need to be reset.
      In the example I used it for both (clear text passwords are EVIL). This means that when I used the above settings, all my passwords were messed up.

    The way to do this:

    1. Log into umbraco BEFORE making this change (or revert to the old settings). Leave this window open or you're in pain.
    2. Change the web.config
    3. Change the admin password in the window you left open. You can still to this.

    Otherwise, you will be locked out.

Please Sign in or register to post replies

Write your reply to:

Draft