I want to get an user's password value from users Collection.I can get all Documents except the password.What would cause and
i need check old password When users want to change their password with new.How can I do?
User passwords are safely encoded with bcrypt according to industry best practices. That means you cannot "unencode" them.
If you want users to change their password, use Accounts.changePassword.
If your users have forgotten their passwords, you can use Accounts.resetPassword.
Related
I'm using the FOSUserBundle on a Symfony project, and I would like to know if, when a user changes his password, I can have access to his former password. The one he's supposed to enter in the "current password" field.
I have a system of encryption on my project, and it's partially based on the user's password, that's why I need it, to update the user's encryption settings.
I created a listener when the user changes his password but I don't know how to get his former password. Or current password, whatever.
Thank you for your help !
Short answer: NO. If user won't give you his current password by typing it in form it's impossible to guess his password.
Only option to have access to current user's password is when password is stored in database in plain text which is rather not the case.
The way passwords are stored in db usually is by using hashing function which are designed to be impossible to invert - you are able to hash your password but you can't unhash it.
In theory you could try to use Rainbow tables but it's not something you could use in regular way on every passwprd change because it's very CPU heavy.
encrypt the new password.
compare the hash of the new password and the hash password in the database.
I need to send a mail to a umbraco user(member) with a password remind.
I work with umbraco.cms.businesslogic.member.Member class:
Member member = Member.GetMemberFromLoginName(userName);
string password = member.Password;
But when I look into this password apparently is a "coded"(crypted) password, not the "clear" one..
Is there a way to obtain a "clear" password ?
The passwords are hashed (and quite possibly salted) during account creation. The website doesn't know what the plaintext password is - it only can compare the hash (one-way cryptographic function, in theory irreversible) of what user inputed into password box with the stored hash.
The "forgot password" should verify owner of the account and send an e-mail with password reset link. Sending plaintext passwords emails is a huge security violation, as users often reuse their passwords on multiple sites, and gaining access to users email would expose password that can be tried on hundreds upon hundreds of different websites/systems.
Hopefully not.
It is very bad practice to store passwords in a way that allows for them to be recovered.
What you can do instead of "password reminder" is "password reset": Send them an email with a link that allows them to reset their password. Protected by some unique number that expires after a few hours and can only be used once.
I browse but didn't got proper solution.i am working on asp.net membership all i want to do is to retrieve user password when user apply for forgot password for condition 1. i want password to be in encrypted format in database and 2. retrieve password in decrypted format.is it possible.
Normally, encrypted passwords would be stored using a one way hash. This means
that the password cannot be decrypted once it is stored. Many authentication systems
work by taking the password ( of the user trying to authenticate ), encrypting
it using the same one way hash function as was used to store the password in the
database, and then doing a string comparison in order to determine if the
resulting encrypted password matches the one that exists in the database.
How are you determining if the user requesting the password is actually
the owner of the account ? Perhaps you can clarify your question with details
of the environment so that we may offer alternative solutions.
Use PasswordRecoveryControl
But anyhow it's not advisable to send password in plain text format.
I am using the ChangePassword web control in order to change the user password. my provider is using hashed password, and I am want to keep using it.
just wanted to know if there is a way to compare the current password the user entered with the old password in the DB.
You can use Membership.ValidateUser method, that returns true or false, depending on whether the entered password - in your case the new password - is the same as the old password.
http://msdn.microsoft.com/en-us/library/system.web.security.membership.validateuser.aspx
hash the current password and compare it.. thats how it is ususally done
A customer of ours complained about login password recovery using plain text password. The only workaround I know is auto-login with encripted username and passord in the query string.
What other options exist to increase the password recovery security?
Thanks.
You can send them a URL that lets them reset the password themselves.
You could create a database table that stores, at the very minimum, a user id and a hash value.
Send the user a link that includes the hash, and on the receiving page look up the associated information and allow the user to reset the password to the account. Which I'm hoping you store in the database as a hash value. Plain text passwords should never be stored or sent out.
Just be sure that the link either expires or is deactivated once the password is changed. Otherwise someone could visit that link whenever they want and change the password.
Along the same lines as Brandon's excellent answer, here is what we do:
Do not store passwords in plain text, or even a decryptable value. Always store passwords using a 1-way hashing algorithm. This means only the user can ever know what the plain-text password is.
When a user forgets their password, present them with a form where they enter their email address, and click submit.
When they submit their email address, create a table row with 2 major pieces: The first is a password reset token (we use a Guid for this). The token should be timestamped, so that you know when it was created, and when it expires (ours expire within 2 hours of submission). The second piece is a secret code that the user will have to enter in order to reset their password.
Send an email to the user, with a link to a page that will accept the token and secret code. When they click the link (or visit the page and enter the code manually), you can then present them with a page that lets them change their password without knowing its previous value.
Using a time-constrained token is a good idea, because if the user's email account is later compromised, the criminals can't use the email to reset the password -- assuming of course that the email account is not compromised within 2 hours of the password reset request.
I wouldn't send out the actual password of the account in plain text to the user's email address. The reason for this is because if someone hacked the users email address now they have their actual password. Most likely this password will be used for other systems as well.
The alternative is to send an encrypted querystring that links to that user and allow them to change their password based on some sort of security question or demographics you have specific to that user.
Facebook uses a matching of friends images to names. If you have their DOB and address you could use that (not that secure). Or you could set up specific security question and answers which would be better.