Im using an asp.net mvc 3 project. I want to be able to email a users password to them if they submit their username in RecoverPassword page.
How can i do that?
Thanks
Its best to store the password in your database as a hash so it can never be reversed. If they forget their password, best thing to do is let them reset it, rather than telling them what the old one is.
Don't do that. Storing passwords in plain text is insecure.
Related
I'm using asp.net membership for users accounts, user password is encrypted and stored on to the sql database as a user registers , the problem I'm having it when the user forgets the password I can't get it right when trying to retrieve it from the database, I have no idea how I can reverse the encryption.I'd appreciate the help.
You can't. By default the passwords are saved as a salted SHA1 hash, you can't "decrypt" such a hash.
It would be bad practice to save passwords in a fashion that allows you to view them, no matter which algorithm you would be using for that. Just create some logic to enable a user to reset his or her password, instead of trying to retrieve the original password.
If you have an ASP.NET MVC 5 site configured without email confirmation, how can a password reset be performed by an administrator?
I can write a console app which resets the password in the database, but that seems inefficient. Also, the old aspnet_Membership_ResetPassword sproc has no counterpart in the new identity system.
I'm not sure I understand what you're trying to achieve. You still have to get the password to the user somehow, so will you be emailing them a generated password instead of the standard "follow a link in a email to a page that lets you pick a new password" approach?
Also, are you talking about specifically resetting one user's password or resetting all user passwords. If the latter, then a console app is the way to go. If the former, you can simply add a view to some backend that's only accessible to admins that let's them perform this function for a specific user.
As far as generating some random password goes, you're on your own there, but a simple web search should turn up plenty of methods to choose from.
Word to the wise, though, the email confirmation approach is standard for a reason. It provides a relatively secure way to allow a user to regain access to their account when they can't remember their password. It's most important feature, though, is that it forces the user to actually change their password, whereas with a provided password, random or not, users will actually use that password, rather than take the time to manually change it after logging in - especially with password managers these days. That means if you sent that password via email, or wrote it on a sticky or whatever, you now have a huge gaping security hole.
I have an ASP.NET MVC 3 application in which I want to set
requestValidationMode="4.0"
and all areas of the website were a normal user has access have
ValidateInput(true)
SoI basically html encode all user input and save it encoded in the database. (The site is not meant to work without javascript)
My question is
How should I treat the signup, log in and change password functionality ?
Obviously I want to allow the user to insert whichever password he/she wants so,
Is it ok if for the password field I do html encode on the client and then html decode on the server, before saving the password in the database ?
Thank you
Given that passwords aren't ever likely to be displayed in cleartext (or even stored), XSS shouldn't be a concern for passwords.
You can decorate the password property(ies) of your (view) model with [AllowHtml]
I can't think of a reason why the password would need to be echoed back to the client from the server, so the Html sanitization step shouldn't be necessary? (Do password rules validation on the client)
Troy Hunt discusses this here.
I'm new to web security so I don't want to implement my own. I plan to use SimpleMembership via the VS2012 template for an ASP.NET MVC Internet Application. The problem is that I need to pass the data via a Web API.
I plan to use basic authentication for my Web API, so I just need to pass username/pass in the http headers. I can intercept the message using Thinktecure.IdentityModel. Here's an example that uses ASP.NET Membership:
authConfig.AddBasicAuthentication((userName, password) =>
Membership.ValidateUser(userName, password));
I can replace Membership.ValidateUser with my own bool function. I've successfully queried my custom database with username/password and everything worked fine. However, I'm using the template's user database because I DON'T want to store string (or even encoded) passwords.
I am unclear on how to manually validate the credentials using the SimpleMembership's database. I can grab a UserProfile, but can't figure out how to check the profile's password.
UserProfile user = context.UserProfiles.Find(1);
==OUTPUT==
user
UserId: 1
UserName: "bob"
Do you know how I can check if an inputted password matches that of an existing user?
Thanks for your help!
Why you are not using Membership.ValidateUser? This is not restricted to just ASP.NET Membership assuming you have your [InitializeSimpleMembership] (here) attribute in the correct places or have executed the logic inside it yourself elsewhere, and you have the correct references to WebMatrix etc you can still just call Membership.ValidateUser and it will use SimpleMemberships Validate user.
If you wanted to go to the database yourself, and assuming you are using hashed password etc then this article is probably going to help as you are going to need to hash your inputed password before selecting it out, the rest of which is just writing some EF or (any other db access method) to select from the User table where the username and hashed passwords match. But I can think of no obvious reason to do this as Membership.ValidateUser will do all this for you.
As the title says: how can I use the Restful Authentication Plugin with Ruby on Rails. When I want to create a new user, it requires me to set the (wrong-named, confusing field) login (= username), email address and password. However, I want, like Facebook does, to require the user to enter only an email address and password, not a username. People will also login with this email address.
Can anyone help me?
Can you hash the email to a unique user-name and just never expose the field to the user?
Restful Authentication includes generators that set up your models and migrations. You're free to edit those as you see fit.
You would just need to edit the validations in the User model for the login field. I'm not sure if the default users table migration include :null=>false for the login field, but that's a simple fix as well.
Set the username and email to the same value?
What BlueRaja says, or use authlogic, which can easily be modified to support what you are trying to achieve.
Also, if you're going to do this, why not go the next step and support OpenId? It's available as an addon to authlogic.
I forked a version of restful auth and modified it to not use usernames. Not thouroughly tested with all options but it passes the tests. Check it out if you want: https://github.com/jamiequint/restful-authentication