I'm using the FOSUserBundle on a Symfony project, and I would like to know if, when a user changes his password, I can have access to his former password. The one he's supposed to enter in the "current password" field.
I have a system of encryption on my project, and it's partially based on the user's password, that's why I need it, to update the user's encryption settings.
I created a listener when the user changes his password but I don't know how to get his former password. Or current password, whatever.
Thank you for your help !
Short answer: NO. If user won't give you his current password by typing it in form it's impossible to guess his password.
Only option to have access to current user's password is when password is stored in database in plain text which is rather not the case.
The way passwords are stored in db usually is by using hashing function which are designed to be impossible to invert - you are able to hash your password but you can't unhash it.
In theory you could try to use Rainbow tables but it's not something you could use in regular way on every passwprd change because it's very CPU heavy.
encrypt the new password.
compare the hash of the new password and the hash password in the database.
Related
I browse but didn't got proper solution.i am working on asp.net membership all i want to do is to retrieve user password when user apply for forgot password for condition 1. i want password to be in encrypted format in database and 2. retrieve password in decrypted format.is it possible.
Normally, encrypted passwords would be stored using a one way hash. This means
that the password cannot be decrypted once it is stored. Many authentication systems
work by taking the password ( of the user trying to authenticate ), encrypting
it using the same one way hash function as was used to store the password in the
database, and then doing a string comparison in order to determine if the
resulting encrypted password matches the one that exists in the database.
How are you determining if the user requesting the password is actually
the owner of the account ? Perhaps you can clarify your question with details
of the environment so that we may offer alternative solutions.
Use PasswordRecoveryControl
But anyhow it's not advisable to send password in plain text format.
I am using the ChangePassword web control in order to change the user password. my provider is using hashed password, and I am want to keep using it.
just wanted to know if there is a way to compare the current password the user entered with the old password in the DB.
You can use Membership.ValidateUser method, that returns true or false, depending on whether the entered password - in your case the new password - is the same as the old password.
http://msdn.microsoft.com/en-us/library/system.web.security.membership.validateuser.aspx
hash the current password and compare it.. thats how it is ususally done
This question already has an answer here:
Closed 12 years ago.
Possible Duplicate:
sending to an email with contact form asp.net
How to send email from ASP.NET page using C# as for forget password, password will be automatically emailed to the alternate id. I need how is it possible to send email from ASP.NET page using C#.
There is no shortage of articles and tutorials on this.
Side note: Being able to email the user their password implies that you're storing their password in plain text. Please, please don't do that. Passwords should be stored in an encrypted form. If the user forgets their password, email them a temporary link for them to reset their password.
You could use the SmtpClient class to send an email in a .NET application.
What you are suggesting sounds like a security risk. It is inadvisable to send a password through email, since this assumes your are storing the plain text password somewhere. Since you should only know the salted hash of the password, you probably want to make the user reset their password instead.
I suppose if you still have some reason to send an email you can check out an extensive tutorial here to start. Seriously though, You can compromise all of your users security if you are not hashing there passwords, and even more so if you are emailing them out.
The short answer is, as stated above (+1'd btw), to use the SmtpClient class.
However, it's dangerous to go emailing passwords around. As a rule of thumb:
Don't send passwords in clear text
Don't store passwords in clear text
When storing a password (if you don't have some framework that does all this for you)
Create a salt
Append the salt to the password
Hash the resulting string
Store the salt and resulting hash
Discard the password
When authenticating, add the salt to
the newly provided password, hash the
resulting string, and compare to your
stored hash
If a user has forgotten their password, send that user an email containing a one-time use, time-sensitive (expires in 1 hour?), unique-link to reset his/her password. It's also a good practice to require the user to manually provide his/her account name or other identifying criteria on the password-reset form.
I store the customers passwords in DB using encryption.
When the customer edits his personal data (including the password) the passwords are shown as *****
How can i understand that the use change his password so write to DB without encrypted again and again.
I mean that the value in password field is the encrypted value. If dont change the password must update with the same value (or not update at all)
If user change password to 1234 I must encrypt the 1234 and write to DB the encrypted value
Thanks
Don't send the md5 hashed string from the DB back. Set up three fields:
Old password
New password
New password again
Then check if the first field after md5 hashing is equal to the stored one in the DB. If it is, hash the second field and store it. (Only if the second and third is equal)
You should require entering both old and new password when user wants to change it.
That way, you can encode the old password, check if the encoded value is the same as in the database. If it is the same, then the you should update the password in db with encoded new password. If it is not the same (or old password is empty) you do not update.
This helps you to distinguish between password change and settings-only change. You also gain a some level of security, as if someone have captured the session of your user, he cannot change his password without also capturing is original password.
A few points:
MD5 is a hashing algorithm, you will never be able to reverse the hash and that's the point.
Don't use MD5 as it has been cracked, use an SHA2+ Hash Algorithm (SHA256 for example)
Simply confirm the password with the "old password" by hashing the old password against the one in the database.
Another option is resetting the password, which will email their confirmed (hopefully) contact email with the new password.
If they're logged into the system already, you should not need to "confirm" the old password again.
Never send the hashed password back from the database, it is kind of defeating the purpose of what you are trying to accomplish.
I am very new to web application (ASP.NET). I have source code and database for a complete project.
ASP.NET (Authentication) control is used for login. I don't know the password right now but i can get the login name and password in encrypt format from the database table.
How could I login to the application with only this little information available.
As the control are dynamically created on the pages, it is very hard to debug and find them on runtime.
How could i proceed for login by encrypted password? or is there a way to login by overcoming Authentication control.
The password is probably SHA1 encrypted. Basically what you have to do is SHA1 encrypt the password the user gives you and compare that to the password in your database. Because SHA1 always results to the same thing if the input is the same, you will know that the users given password is correct if both hashes match.
SHA1 encryption is a form of hashing and cannot be reversed.
No, hashed passwords in the database are non-reversible intentionally. This keeps anyone (a hacker?) from reading your database and being able to log in.
As Sam152 said, the passwords are likely SHA1 hashed, so if the passwords are not stored with salt, you can build a rainbow table to find the original password. If they are salted, you need to know the salt to build the rainbow table as well.
You could try implementing custom MembershipProvider by derriving from this class. Then you just override method ValidateUser to meet your requirements. Also remember to modify Web.config.
The point of hashed passwords is that a they can't be used by folks not knowing the decrypted password.
There should be a way to reset the password for users. You could do this and log in based on the reset password.
If you are trying to log in to an active user's account, you may want to consider the implications in doing so without their knowledge (if that is the case). However, if it is just a test user, reseting the password is probably the least cumbersome way. That functionality or procedure should probably be part of web app anyway.
If it's the standard ASP.NET membership stuff, I think it uses a stored proc to check the DB. Just change that and have it return true or whatever.
Adding to the above answers SHA1 encryption output is 40 byte. You should check the length of the encrypted password to get an idea about the kind of encryption..since hash algorithm has predefined no of output bytes, this would help you map with the kind of algorithm and then you should look for possibile salt usage as #MattGWagner said...is the tables in database that stores user information seems like aspnet_users,aspnet_membership, etc? Then this should be the standard authentication provided by windows..Just google and see how it works