Hashed passwords cannot be retrieved. Either set the password format to different type, or set enablePasswordRetrieval to false

Question

I got some website and now I want to get the passwords.

I use it:

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
             connectionStringName="TravelChamps" 
enablePasswordRetrieval="true"
             enablePasswordReset="true"
             requiresQuestionAndAnswer="false"
             requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" 
             minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"             
             />

And this error happens:

Configured settings are invalid: Hashed passwords cannot be retrieved. Either set the password format to different type, or set enablePasswordRetrieval to false.

If I use it:

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
             connectionStringName="TravelChamps" enablePasswordRetrieval="false"
             enablePasswordReset="true"
             requiresQuestionAndAnswer="false"
             requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" 
             minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"             
             />

I get the follwoing error:

An exception occurred retrieving your password: This Membership Provider has not been configured to support password retrieval.

I am totally confused.

Any suggestion where I can start to work around?

Answer 1

If you want the passwords could be retrieval or to get them as plain text (not encrypted) you must change some configurations of The Membership before you create first user.

Perform the following tasks (it relates to asp net):

1.In the file web.config, in tag membership/providers/add set attributes:

enablePasswordRetrieval="true"<br/>
passwordFormat="Encrypted"

my settings:

<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"     connectionStringName="maindb"
         enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
         maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
         applicationName="/" passwordFormat="Encrypted" />
  </providers>
</membership>

2.Generate so called validationKey and decryptionKey. You can do this by NET API:

my example:

public static class RNGCrypto_MachineKey
{
    public static string getRandomKey(int bytelength)
    {
        byte[] buff = new byte[bytelength];
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        rng.GetBytes(buff);
        StringBuilder sb = new StringBuilder(bytelength * 2);
        for (int i = 0; i < buff.Length; i++)
            sb.Append(string.Format("{0:X2}", buff[i]));
        return sb.ToString();
    }
}

generating:

string key64 = RNGCrypto_MachineKey.getRandomKey(64);
string key32 = RNGCrypto_MachineKey.getRandomKey(32);

3.Again, in the file web.config put the following settings inside the tag system.web:

    <machineKey validationKey="paste here the key64 string" decryptionKey="paste here the key32 string" validation="SHA1"/>

(about machinkey on msdn)

4.Now you can create users with passwords and then you can get plain password:

Membership.GetUser(username).GetPassword();

Answer 2

You can't get the passwords because they were never stored. (Specifically to ensure nobody could ever do exactly what you're trying to do.) The workaround is not to get the passwords.

Answer 3

As others have stated, the original password can't be retrieved, and you shouldn't typically provide a mechanism to recover passwords anyways (just reset them). However, if your goal is to reset the password to some known value, it can be done along these lines:

MembershipUser usr = Membership.GetUser("username", false);
string resetPassword = usr.ResetPassword();
usr.ChangePassword(resetPassword, "yayiknowthepassword");

Answer 4

To answer the question, you can use the method outlined in this link: Retrieving the users password

but I would never do such a thing as to make your users information insecure. You should allow them to "reset" only, never retrieve. You should not see or be able to retrieve your users passwords and I would advise anyone against using your application or website due to this, but the method outlined in the link works.