Ravi Singh

As web sites mature, website administrators sometimes regret their original (sometimes unintended) choice in passwordFormat when using the AspNetSqlMembershipProvider. That is, membership passwords may be clear text when a hashed format is desired or vice versa. Microsoft’s decision to implement hashing in the default AspNetSqlMembershipProvider was wise and conservative but for many web sites with minimal security requirements, the password system can become cumbersome.  By directly calling a couple of the AspNet stored procedures, it is possible to change the password format:

Note: If the passwordFormat is initially “Clear” or “Encrypted”, use the membership.provider.GetPassword method to cache the original password before calling the stored procedures.

1.      Use the stored procedure aspnet Membership GetPasswordWithFormat to retrieve the current passwordSalt.

2.      Use the stored procedure aspnet Membership ResetPassword to set the passwordFormat to its intended (integer) value. The stored procedure requires readily available parameter values including passwordSalt (retrieved earlier), password (empty string) and passwordAnswer (Null).

At this point, the membership record has been placed into an initialized (unusable) state and the PasswordAnswer has been lost. If the original password was hashed, then it too will be unrecoverable.  The provider methods listed below and described in previous sections allow for resetting the credentials and, as they are used, the password and password answer will be stored in the new password format (clear, encrypted, hashed.)

1.      Call the ResetPassword method to generate and retrieve a new random Password. Remember that the second parameter (answer) is not required if “requiresQuestionAndAnswer” is set to false in web.config.

2.      Call the ChangePassword method, using the now-current password retrieved in the previous step, to set the password to a desired value.  If the original password was saved at the start of the procedure, it may be restored at this point.

For originally un-hashed passwords, the preceding steps allow for a change of passwordFormat with complete restoration of the original password.

The Password Answer could have easily been retrieved from the database at the outset if it was stored in clear text. In the case of an encrypted Password Answer, a more complicated approach which involves the provider’s protected DecryptPassword method could have been used to cache the original Password Answer.  If the original Password Answer were available, it could be restored with a call to the ChangePasswordQuestionAndAnswer provider method.

So, what can be done if the Password and/or Password Answer had to be sacrificed in favor of a new passwordFormat?  One solution might be to reset everyone’s credentials then send them by Email. Another solution might be to place a notice onto the web site that informs users and provides further instructions. Either way, the web site should leverage the self-service membership controls which allow the member to reset his/her own credentials.  The following outlines a series of steps that can be taken:

1.      A new arbitrary password can be assigned using either the ResetPassword or ChangePassword provider method. Similarly, a new arbitrary Password Question and Password Answer can be assigned using the ChangePasswordQuestionAndAnswer provider method.

2.      Since the user will not know his/her new credentials, ensure the Login Control includes the necessary properties (PasswordRecoveryText and PasswordRecoveryURL) to link the user to a page that includes a PasswordRecovery Control.

3.      Recall that the PasswordRecovery Control is driven by the provider settings in web.config. In particular, ensure that “requiresQuestionAndAnswer” is set to false so the PasswordRecovery Control does not prompt the user for a Password Answer. Also, ensure that the SMTP setting is specified in web.config so that the Email will be sent. If the membership record uses a hashed password format then a new (random) password will be sent, otherwise the password you assigned in the previous step will be sent.