Post reply

get the actual password from aspnet_memberships

  • June 4, 2012 at 7:14 am

    #262301

    I want to select the password from the aspn_membership (.NET memberships tables) and decrypt it

    any idea how to do that

  • June 4, 2012 at 7:54 am

    #1496488

    You cannot do that. The point of a hash is a one way function applied to a password. It's possible there are multiple passwords that could hash to the same value.

    You can set a new password and get a new hash.

  • June 4, 2012 at 8:47 am

    #1496530

    Steve Jones - SSC Editor (6/4/2012)

    You cannot do that. The point of a hash is a one way function applied to a password. It's possible there are multiple passwords that could hash to the same value.

    You can set a new password and get a new hash.

    see my updated question please

  • June 4, 2012 at 9:13 am

    #1496561

    First, please don't edit the question to change it as it then wrecks the flow of the discussion. If you have a follow up, ask it. If you have a different question, then start a new thread.

    In terms of decryption, how is the password stored in the table? I am not sure what you are referencing here as there are multiple frameworks that might use a table by that name.

    Likely it's a hash, and then there is no decryption. Hashing uses a one way function, which by definition, does not allow decryption.

  • June 4, 2012 at 9:28 am

    #1496576

    to continue on what Steve is saying, a hashed password is never unencrypted to it's original value.

    what happens is a potential password is hashed,and the two hashes can then be compared. this makes it very secure, because the pasword is never transmitted...only the hash of the passwords.

    here's a very basic example of what happens...if the "false" method is returned, the login stuff says something like "invalid usenrame or password".

    declare @val varbinary(max)

    SELECT @val = HashBytes('SHA1','MySecret Phrase')

    SELECT

    CASE

    WHEN @val = HashBytes('SHA1','MyOther Phrase')

    THEN 'True'

    ELSE 'FALSE'

    END

    so they onylthing you can do is reset the password to a new, known password if you need the password to be a known value.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • June 4, 2012 at 9:35 am

    #1496581

    This is simply no valid reason to read stored passwords. Even if it were possible, providing the capability to do so would create a huge security risk.

    Drew

    J. Drew Allen
    Business Intelligence Analyst
    Philadelphia, PA

  • June 4, 2012 at 10:12 am

    #1496607

    drew.allen (6/4/2012)

    This is simply no valid reason to read stored passwords. Even if it were possible, providing the capability to do so would create a huge security risk.

    Drew

    Very true, and this is why hashes are stored.

    If a process or person can't remember the password, set a new one. If you can read an old one, then you are asking to potentially have someone making changes under another user's account.

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply