I have a requirement to decrypt the Encrypted (not Hashed) passwords located in my aspnet_Membership table. In that database I see the Password (Encrypted) and PasswordSalt fields, and I can look at my web.config to find the machinekey > decryptionKey (validation=”SHA1″ decryption=”AES”).
note: I would love to use Hashed password, but for business reasons I need to be able to use the password for a Member, for SSO into and from other remote systems, hence using Encrypted (definitely NOT using Clear – yukky!)
Given all that, surely there is a way to retrieve the password as Clear, plain and readable text, i.e. decrypted, but I’m having real trouble finding any website, or answer on stackoverflow (and I’m looking at all the “similar questions” and “question with similar titles” here) that explains how this can be done.
I’ve found the MembershipProvider.DecryptPassword Method page, but I still cannot work out how to actually use this in my code. I’ve also found other pages, via Google, but most example of password decryption don’t appear to take the salt and decrytionKey’s into account.
Does anyone have a straight forward example of selecting the password, passwordsalt and decryptionkey from their respective locations, and using them to decypt an ASP.NET 2.0 Membership Encrypted password?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Create a class that inherits from SqlMembershipProvider and in it you can call the decrypt.
All the code you need for this can be found in this article by Naveen Kohli:
After looking through the code in reflector, I saw that Microsoft
providers decrypts in two steps. The encrypted password is actually a
Base64 conversion of encrypted data. So first it converts it back from
Base64 and then calls DecryptPassword method. I just did the easiest
thing. Copied the code from Microsoft implementation, removed all the
checks it was doing and then used it. Following class is an example of
a class derived form SqlMembershipProvider with a method that just
returns me password in clear text for a given encrypted password.namespace MembershipPasswordRecover { public class NetFourMembershipProvider : SqlMembershipProvider { public string GetClearTextPassword(string encryptedPwd) { byte[] encodedPassword = Convert.FromBase64String(encryptedPwd); byte[] bytes = this.DecryptPassword(encodedPassword); if (bytes == null) { return null; } return Encoding.Unicode.GetString(bytes, 0x10, bytes.Length - 0x10); } } } static void Main(string[] args) { var passwordManager = new NetFourMembershipProvider(); var clearPWd = passwordManager.GetClearTextPassword("encryptedpasswordhere"); Console.WriteLine(clearPWd); }
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0