Asp.net membership password format value set to 1

Question

0.00/5 (No votes)

See more:

, +

I have a project to understand and modified. in this the developer is using asp.net membership provider for user registration purposes. I need to know which password encryption technique is using in this project.
My web.config file is this.

XML

<membership>
     <providers>
       <clear />
       <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
     </providers>
   </membership>

and in the sql database table in asp_membership the column passwordFormat is set to 1.

I have wrote another program to see that if i done this customize with sh1. but it did not return the matched value.
E.G

SQL

email; abc@gmail.com , Password: XD/9f1M211z5jv2LTazSrVgPyrc= , PasswordSalt: T3pit6T+AnxAEWFslVd5Lw==

here is my code

C#

protected void btn_register_Click(object sender, EventArgs e)
    {

        user_email = tbx_email.Text.Trim();
        user_password = tbx_password.Text.Trim();
        //string salt = CreateSalt(8);
        string salt = "T3pit6T+AnxAEWFslVd5Lw==";
        string haspassword = CreatePasswordHash(user_password, salt);
        db1.sqlcmd = new SqlCommand("usp_register_user");
        try{

            using (SqlDataAdapter sda = new SqlDataAdapter())
            {
                db1.sqlcmd.CommandType = CommandType.StoredProcedure;
                db1.sqlcmd.Parameters.AddWithValue("@email", user_email);
                db1.sqlcmd.Parameters.AddWithValue("@Password", haspassword);
                db1.sqlcmd.Parameters.AddWithValue("@PasswordSalt", salt);
                db1.sqlcmd.Parameters.Add("@success", SqlDbType.Bit);
                db1.sqlcmd.Parameters["@success"].Direction = ParameterDirection.Output;
                db1.sqlcmd.Connection = db1.sqlcon;
                db1.sqlcon.Open();
                db1.sqlcmd.ExecuteScalar();
                success = Convert.ToBoolean(db1.sqlcmd.Parameters["@success"].Value);
            }
        }
        catch (Exception ex)
        {
            Response.Write(ex.Message);
        }
        finally
        {
            if (success == true)
            {
                db1.sqlcon.Close();
                lbl_status.Text = "Ho Gya..";
                lbl_status.ForeColor = System.Drawing.Color.Green;
                lbl_status.Visible = true;
              
            }
            else
            {
                db1.sqlcon.Close();
                lbl_status.Text = "Nahi Huwa Yar.. Phr Try kro";
                lbl_status.ForeColor = System.Drawing.Color.Red;
                lbl_status.Visible = true;
            }
          
        }
    }

private static string CreatePasswordHash(string pwd, string salt)
    {
        string saltAndPwd = String.Concat(pwd, salt);
        string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "sha1");
        return hashedPwd;
    }

and now the result is this:

E.G

SQL

email; abc@gmail.com , Password: 57C0E8D97D5A3652320D0CA660526DD3A1E6C235 , PasswordSalt: T3pit6T+AnxAEWFslVd5Lw==

it should store this na;

SQL

email: abc@gmail.com , Password: XD/9f1M211z5jv2LTazSrVgPyrc= , PasswordSalt: T3pit6T+AnxAEWFslVd5Lw==

help me to Where did i go wring?

Posted 21-Oct-14 20:36pm

Muhammad Taqi Hassan Bukhari

Updated 21-Oct-14 21:15pm

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Kornfeld Eliyahu Peter · Answer 1 · 2014-10-21T20:41:00

Solution 1

A little Google can get you so far....
http://msdn.microsoft.com/en-us/library/system.web.security.membershippasswordformat(v=vs.110).aspx[^]
http://referencesource.microsoft.com/#System.Web.ApplicationServices/Security/MembershipPasswordFormat.cs[^]

Posted 21-Oct-14 20:41pm

Kornfeld Eliyahu Peter

Comments

Muhammad Taqi Hassan Bukhari 22-Oct-14 2:49am

as my project is using hashing technique, but which hashing algo, on msdn it says hashAlgorithmType="SHA1" defines, but in my web.config there is no such parameter like this. then how could i trace this.

Kornfeld Eliyahu Peter 22-Oct-14 2:53am

You are really not using your keyboard...type with me! Google...Now search for hashAlgorithmType...Wow!!!
http://msdn.microsoft.com/en-us/library/1b9hw62f(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/system.web.security.membership.hashalgorithmtype(v=vs.110).aspx

Muhammad Taqi Hassan Bukhari 22-Oct-14 3:08am

thanks for your support ,
i had wrote the program to match the a user password by using sh1 with same salt value (picked from db). but it does not return the value.

Kornfeld Eliyahu Peter 22-Oct-14 3:11am

So? You better talk to us with code!!!

Kornfeld Eliyahu Peter 22-Oct-14 3:11am

Does it connected to the original question? or you just 'riding the wave'?

Muhammad Taqi Hassan Bukhari 22-Oct-14 3:15am

now see sir, i have updated the question with code also.

Kornfeld Eliyahu Peter 22-Oct-14 3:20am

Why do you do yourself the hashing? The membership provider does it alone already. Possible there is the problem - you password goes thru hashing twice, one for your and one for the membership provider...

Muhammad Taqi Hassan Bukhari 22-Oct-14 3:23am

Actually I have to convert this project in php and mysql. As there is not such membership class facility in php mysql. So, if i know the hashing algo i can easily move/insert these in MySQL.

Kornfeld Eliyahu Peter 22-Oct-14 3:39am

So I can't see what the problem - you have to compare the PHP's result with the ASP.NET provider's result...

Muhammad Taqi Hassan Bukhari 22-Oct-14 3:52am

yes, i have to convert the whole asp.net application to php. and in mysql have to update all these msql membership password manually in mysql.

Kornfeld Eliyahu Peter 22-Oct-14 3:54am

Why manually? If you have an existing database use export/import to keep it!

Muhammad Taqi Hassan Bukhari 22-Oct-14 3:59am

yes, this is also the option, but the problem comes when I have to authenticate at login.
get back the user's salt value.
then add to the password that user enters
create hashed of above two and then compare new hashed password with the stored hashed password.
as php, mysql is also not generating the same output using sh1. then it will not authenticate the valid user also.

Muhammad Taqi Hassan Bukhari 22-Oct-14 4:00am

more, if i get the plain password back in some way, i will be more happy.

Muhammad Taqi Hassan Bukhari 22-Oct-14 4:04am

Can I play with db, means set passwordFormat value to 0 that is clear. and get the password back in plain text? can this be possible?