passwordAnswer as Encrypted

Nov 1, 2012 at 5:32 AM

how can I have or set the passwordAnswer Field as encrypted/non readable format/hashed just like the password field?

thanks

Coordinator
Nov 1, 2012 at 1:52 PM

Unfortunately the standard SQLMembershipProvider doesn't hash the passwordAnswer field - so if you'd like to do that you'll have to create your own custom membership provider.

I simply don't use the requiresQuestionAndAnswer setting, as Microsoft's implementation of it doesn't allow an administrator to reset the password if this is turned on.

Nov 1, 2012 at 4:14 PM

yep.

so lets say i have a custom page and i want to verify a passwordAnswer from  UI against the Hashed in database, how would I do that? clear to convert to hash for comparison? is there an api method i can use?

thanks/

Coordinator
Nov 1, 2012 at 4:21 PM

I'd probably create a new MembershipProvider that inherits from SQLMembershipProvider.  Then you could just override any methods that take passwordanswer as a parameter and hash it's value.  And while you're at it, you could modify it to not require the passwordAnswer to reset a user's password.

Alternatively, instead of creating a custom membership provider, you could update the stored procedures on aspnetdb to do the hashing there.

Nov 1, 2012 at 4:47 PM

which Hashing is used MD5? do you might have a sample code i can look at?

Coordinator
Nov 1, 2012 at 5:36 PM
Edited Nov 1, 2012 at 5:36 PM

Actually Microsoft has released the code for it - so you can check out how they hash the existing passwords and use it to make customizations. Here's the link:

http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi

Nov 1, 2012 at 7:37 PM

Thanks. the code in the release helped out and it's working. Thank you.