Erik Porter's Blog

I emailed him asking how you would retrieve the password for a user that forgot their password (so it could be emailed to them or something). It was not mentioned how to do this using the security method. I assume it's doable by using the hash value or something?

I'm pretty sure it's NOT possible. That's what makes it so secure. Just have them change their password instead of e-mailing it to them or autogenerating a new one and e-mailing it to them. That's what we do...seems more secure.

Both SHA1 and MD5 are one-way hashes. You have to reset the password to a known value and have the user change the password on next login.

Alternatively you can have a password hint that you show the user to help them remember the original password.

You can also use T-SQL pwdencrypt() and pwdcompare() - http://scottcate.mykb.com/Article_46EB8.aspx and http://weblogs.asp.net/bdesmond/archive/2003/08/15/24177.aspx.

It makes for simpler code, but there are some problems with it. The encryption's not that secure (http://www.theregister.co.uk/content/4/26086.html) and those functions are undocumented and thus subject to change.

It'd be nice to documented, supported versions of pwdencrypt and pwdcompare in Yukon (other than just saying "you've got the CLR now, write it yourself").

Until then, the technique described in the article looks like the way to go.

Take Outs: The Digital Doggy Bag of Blog Bits for 18th and 19th February 2004

check out http://www.aspheute.com/artikel/20040105.htm - it's a german article but the code to generate the salt and the hash are seperated from dataaccess.

Daniel Fisher(lennybacon)

I don't know why they don't use PasswordDeriveBytes. Also, the article doesn't mention iterations, which are key for increasing the strength against brute force for passwords. A P4 can calculate about 1 million hashes a second, which means a dictionary attack against a hash takes hardly any time.