MembershipProvider.GetPassword algorithm
https://stackoverflow.com/questions/4323800
-
29-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are converting an ASP site (using DotNetNuke) to a new PHP site. The only thing we have right now is a full export of the existing database. One of the tables is called "aspnet_Membership" and contains the following fields:
- Password (looks like base64)
- PasswordFormat (always value 2)
- PasswordSalt (looks like base64)
- PasswordQuestion (always empty)
- PasswordAnswer (always empty)
We would like to decode these passwords and hash them to fit our own framework. From what I understand from the .NET documentation these kind of passwords can be decrypted. Is there an algorithm available that can do this or is it more complicated than that? Will it be possible if we create an ASP script on the current server?
Thanks in advance
Solution
I think 2 means "Encrypted", not "Hashed" (see the definition here)
Encrypted means you can actually decrypt it but you will need the machine key stored in configuration files (take a look at the link I sent) of the physical machine where these passwords were created. If you have only a copy of the database, then you can't do it.
OTHER TIPS
Unfortunately your value of 2 in PasswordFormat tells us that these passwords are hashed, presumably using SHA1 (you can check this in your web.config). There's no way to reliably get the original password back, sorry.
*edit: unless you're aware of a specific cryptographic weakness in the particular hashing function, of course.
