Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
433 views
in Technique[技术] by (71.8m points)

passwords - C# ChangePassword Hashing issue

I have a website with Roles and Memberships enabled.

When a user has a hashed password the following code works:

 public void ChangePassword_OnClick(object sender, EventArgs args)
        {
            // Update the password.
            // The current user was determined on page load.
            try
            {
                if (u.ChangePassword(OldPasswordTextbox.Text, PasswordTextbox.Text))
                {
                    Msg.Text = "Password changed.";
                }
                else
                {
                    Msg.Text = "Password change failed. Please re-enter your values and try again.";
                }
            }
            catch (Exception e)
            {
                Msg.Text = "An exception occurred: " + Server.HtmlEncode(e.Message) + ". Please re-enter your values and try again.";
            }
        }

However I inherited this database where most of the passwords are in the clear. In the clear with PasswordFormat set to 0, the above code snippet works.

If I use a SQL query to set the PasswordFormat to 1 (for hashed) the above code snippet does not work. This makes sense in that the Password is not a hashed value. Running through the above code snippet just says the text for failure.

How do I:

  1. Hash the clear password to fix the database and set PasswordFormat = 1
  2. Or offer to reset the password and generate a new one where I can hash the password in the database?

I could create a new user and when I do, the password is properly hashed. I just don't want to have to go through the database and re-create user's just because I can't hash their password. I have no idea what creates the PasswordSalt.

To be clear I could leave it as clear text for our users but per Microsoft .Net documentation I should never do that.

My Web.config in the root of the project has:

 <membership defaultProvider="DefaultMembershipProvider" userIsOnlineTimeWindow="20">
      <providers>
        <add name="DefaultMembershipProvider" 
type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=2.0.0.0, 
Culture=neutral, 
PublicKeyToken=31bf3856ad364e35" 
connectionStringName="DefaultConnection" 
enablePasswordRetrieval="false" 
enablePasswordReset="true" 
requiresQuestionAndAnswer="false" 
requiresUniqueEmail="false" 
maxInvalidPasswordAttempts="5" 
minRequiredPasswordLength="6" 
minRequiredNonalphanumericCharacters="0" 
passwordAttemptWindow="10" 
applicationName="/" />
      </providers>
    </membership>
question from:https://stackoverflow.com/questions/65837370/c-sharp-changepassword-hashing-issue

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...