How? Encrypt and Decrypt user membership passwords in ASP.NET

Question

We are creating a new site using ASP.NET membership provider for user registration and log in. Our old system encrypted user passwords so that we could recover them if we needed to.

I am having a great deal of trouble figuring out if it is possible to use ASP.NET membership functions to simply encrypt the password when the user registers and then unencrypt it so I can see it.

Documentation for this is neigh non-existant.

I know how to configure Web.config to have it store passwords as encrypted ala passwordFormat="Encrypted" in the provider and assigning a validationKey in the machineKey, however it seems like the password still gets hashed (though perhaps it is just well encrypted). Either way I cannot decifer how the password can be recovered (by us) if neccessary.

Thanks!

Answer 1

Storing passwords in recoverable format is a very poor idea. If you can recover them so can anyone who breaks into your server.

You're better off using a standard hash+salt approach and having a password reset mechanism to handle the case where users forget their password.

Answer 2

You need to use passwordFormat="Encrypted" rather than passwordFormat="Hashed". Then you can use the DecryptPassword method of the MembershipProvider to decrypt the password when necessary.

Answer 3

Imports System.Web.Security

Public Class PasswordRecovery
    Inherits SqlMembershipProvider

    Public Function GetDecryptedPassword(ByVal password As String) As String
        Try
            Dim _encodedPassword() As Byte = Convert.FromBase64String(password)
            Dim _bytes() As Byte = DecryptPassword(_encodedPassword)
            If _bytes Is Nothing Then
                Return ""
            Else
                Return System.Text.Encoding.Unicode.GetString(_bytes, &H10, _bytes.Length - &H10)
            End If
        Catch ex As Exception
            Throw New Exception("Error decrypting password.", ex)
        End Try
    End Function
End Class