Reputation: 3257
MVC 4 Encrypt Default Password
I have an MVC 4 web application that requires user to login. Most of the users don't have email accounts. If someone forgot his password, how do I reset it? All the reset password systems I find require some sort of email account. I just want something simple, such as reset it to a default password, and the user can change his password once he logon using that default password. The problem is the password is encrypted in SQL Server. I can't find a tool that encrypt password.
Upvotes: 0
Views: 486
Answers (1)
Reputation: 79
First off the most widely used authentication implementations go to considerable lengths to prevent user credentials being stored in a reversible (i.e. plane text, or something that could be encrypted) format. Instead you should hash & salt plane text credentials and compare with a stored value.
Next to securely reset a users credentials you need to authenticate them through some other means, this is as you mention most commonly achieved through email, but if this isn't possible you should look at other out-of-band methods of authentication, perhaps send the user a SMS with a one time code, or make them answer a series of security questions. Once you have validated the users identity, force them to set a new password and override your stored hash for the user.
Upvotes: 1
Related Questions
- Forgot Password with asp.net identity
- File Upload ASP.NET MVC 3.0
- How to get Email from coming code for Reset Password
- MVC 5 - change password on demo accounts
- Set ASP.NET Allow existing users to use new password reset feature
- How to Insert Password into SQL Server with Encrypted and Retrieve with Decrypted in asp.net mvc 4
- How does default MVC 4 password verification work?