Problem changing password

[John]

Hi

I am trying to set a new password using the following code;

Dim u As MembershipUser = Membership.GetUser(UserName)
Dim OldPassword As String

OldPassword = u.GetPassword
If u.ChangePassword(OldPassword, Password) Then
ChangePassword = True
end if

The problem is that it gives me the following error on the line OldPassword
= u.GetPassword;

System.NotSupportedException: This Membership Provider has not been
configured to support password retrieval.
at System.Web.Security.SqlMembershipProvider.GetPassword(String username,
String passwordAnswer)
at System.Web.Security.MembershipUser.GetPassword()

What is the problem and how can I fix it? Ideally I don't want to have to
answer the security question.

Thanks

Regards

 

[Kevin Jones]

The default membership provider (look for the configuration in
<framework dir>/config/machine.config.comments) has
enablePasswordRetrieval="false"

It also has passwordFormat="hashed" and if you read the help for the
MembershipProvider class it will tell you GetPassword should throw an
exception if EnablePasswordRetrieval is true and password format is hashed.

So if you want to retrieve the password in the way you are you will need
to change the provider to enable retrieving thepassword *and* to turn of
hashing (note that turning off hashing will reduce security of the password)

Kevin Jones

 

[John]

Hi

I am using the AspNetSqlProvider but the site is hosted on a public hosting
company. Any way to override enablePasswordRetrieval="false" in application
configuration or any other way as I have no control over what host sets on
their servers? If this is not possible, any way to set a new password
without knowing the old one?

Thanks

Regards

 

[Kevin Jones]

You can add the provider data to your own web.config file, something like

<membership defaultProvider="AspNetSqlMembershipProvider"
userIsOnlineTimeWindow="15" hashAlgorithmType="">
<providers>
<clear />
<add connectionStringName="LocalSqlServer"
enablePasswordRetrieval="true" enablePasswordReset="true"
requiresQuestionAndAnswer="true" applicationName="/"
requiresUniqueEmail="false" passwordFormat="Encrypted"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

See the MembershipProvider help for use of the PasswordFormat property
and how it affects your processing,

Kevin Jones

 

[John]

Thanks. I have set enablePasswordRetrieval="true" and
passwordFormat="Encrypted" in the web.config of my app. Now I am getting the
following error on the line; Dim newUser As MembershipUser =
Membership.CreateUser(Username, Password, Email)

You must specify a non-autogenerated machine key to store passwords in the
encrypted format. Either specify a different passwordFormat, or change the
machineKey configuration to use a non-autogenerated decryption key.

What is the problem?

Thanks

Regards

 

[Juan T. Llibre]

re:

What is the problem?

If you store encrypted passwords, you can't use autogenerated decryption keys.

Change the machineKey configuration to use a non-autogenerated decryption key,
if you want to use encrypted passwords.

You can use this nifty, free, utility written by Peter Bromberg
to generate your validation and decryption keys:

http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.aspx

Just write any word/phrase of your choosing and click the "generate" button.
Then, copy the result into your web.config.