Security Noob here.
I am trying to move from asp.net membership to Umbraco membership. But using passwordFormat="Encrypted" seems to encrypt differently between the Umbraco membership provider and Microsoft's SQL membership provider.
If I register two users with the SQL membership provider (with passwordFormat="Encrypted") - the encoded passwords are different. If I do the same with the Umbraco provider they're the same.
While all the strings decrypt to the same thing (the correct password) - I apparently can't use the passwords encrypted by the SQL membership provider in the umbraco DB (ValidateUser fails).
Anyone have any ideas?
Note: I'm using the same machineKey on both sites.
Edit: Calling EncryptPassword() and EncodePassword() on the Umbraco membership provider gives different results - and EncodePassword is the correct one to call. But EncodePassword isn't available on the .NET Membership provider. This was another part of my confusion.
The passwords may be different because they are salted. Check out the PasswordSalt column in the membership database, it should be a Base64 string.
The Umbraco passwords are hashed using the System.Security.Cryptography.HMACSHA1 class. I'm guessing you could hash the SQL membership users passwords with HMACSHA1 and call it good.
See Add User with hashed password for more details.
Related
I am currently working on a project in which I am rewriting an old (late 1990s) web application in ASP.NET. Part of this application is a user authentication system, which is used to access a couple of pages on the site. The user credentials (username, password, etc.) are stored in a database table.
This is all pretty standard, but while working with this database I found, to my horror, that this data is stored in plaintext.
I am wondering what the best way would be to improve the security of this insecure system. Is there an easy method of taking the plaintext data, encrypting (or hashing) it, and reinserting it? Can I use .NET Forms Authentication to facilitate any of this, and is it a good option for user authentication in the new app?
Thanks!
If you are on a Windows network, I'd use Windows Auth, which uses Active Directory. That would allow your Systems Admin group/person to administer who has access to the application.
Forms Auth is a good idea if Windows Auth won't work for you.
If they won't give you the time to implement either of the auth frameworks, I'd definitely encrypt the passwords on the database. Write a Console app and encrypt the passwords using information found here: Encrypt and decrypt a string
Then you'd need to modify your existing app to check encrypted passwords instead of plaintext ones.
I have multiple websites and a Windows app that share the same database. Is there a way that I can manage the database username and password across all web.configs and app.configs? I'd like to be able to change the username and password, and then have all websites and apps use the new name. Is there something that I can use that will automate this? I currently store the username and password in a connection string.
You may have to write some custom code in your Windows app to support it, but ASP.NET Membership will let you share usernames and passwords among multiple apps.
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
ASP.NET membership supports facilities for:
Creating new users and passwords.
Storing membership information (user names, passwords, and supporting
data) in Microsoft SQL Server, Active Directory, or an alternative
data store.
Authenticating users who visit your site. You can authenticate users
programmatically, or you can use the ASP.NET login controls to create
a complete authentication system that requires little or no code.
Managing passwords, which includes creating, changing, and resetting
them . Depending on membership options you choose, the membership
system can also provide an automated password-reset system that takes
a user-supplied question and response.
Exposing a unique identification for authenticated users that you can
use in your own applications and that also integrates with the ASP.NET
personalization and role-management (authorization) systems.
Specifying a custom membership provider, which allows you to
substitute your own code to manage membership and maintain membership
data in a custom data store
Also, see this SO question for some additional info.
Keep the user name and password in the registry.
Build the connection string on the fly using a class
All web sites and Apps should have the same class
By the way, the registry is more secure than the web config.
I want to learn how to use authentication in your web appliction specially using some algorithm to encode your password so that it may be verified through a DB/file.
can someone share any project link???
asp.net has a built-in membership infrastructure. It allows you to create users, roles, profiles and also save data to DB and use hashed passwords, so you don't need to handle all of that yourself.
Here is a reference to anything and everything you will ever want or need to know about asp.net membership:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
What's the ideal way to store login and password for LDAP membership providers in the web.config?
Having the login and password stored in the provider under connectionUsername/connectionPassword attributes does not go well with me because, I would want to encrypt the connection string later on.
Don't have much experience with this, and was wondering if anyone had any best practices on this.
Microsoft has tools built into the Framework for encrypting/decrypting sections of your Configuration files:
Encrypting and Decrypting Configuration Sections
And here's a walkthrough:
Walkthrough: Encrypting Configuration Information Using Protected Configuration
I'm in the process up changing a single SQL DB website (ASP.NET/VB.NET) into a multitenant app, where each client has their own database.
In the old site, all the ASP roles, logins and providers pointed to the single database.
Now we have multiple databases, I'm wondering what would the best architecture/techniques to use. There is one database that configures the tenants, such as the company name, various settings (that would normally be in a web.config) and the connection string to their tenant database.
Should we have all the membership & role stuff in the single database that configures the tenants or do we have membership & roles in each individual tenants database? Option 2 seems tricky because I think ASP.NET only likes one set of RoleProviders defined in the web.config.
Has anyone tried this before or got any recommendations?
If you're using the ASP.Net Membership model with the built-in providers' then putting them into one DB is the easiest as you indicated.
One option, and I've not tried this, is to define in your web.config file a provider for each tenant. This would allow each tenant to have their own membership db, and allow you to avoid username collisions between the tenants (if this is a requirement).
You should be able to configure the the ASP.NET membership database connection string at runtime. This thread has a few options including a custom membership provider or changing the value early on in the request lifecycle via Global.asax.cs.