473,700 Members | 2,459 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Adding security question/answer check to ASP.NET *ChangePassword * control

I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecover y tool. I have implemented the PasswordRecover y with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the user's security question and answer will address this contingency.

Put another way, this is the setup I want:
1) User requests password reset
2) email is sent with temp password
3) user's/username's Membership info is evaluated, if comment ==
"UserResetPassw ordMustChange" user is sent to password change form
4) User changes password using an augmented ChangePassword control that
evaluates an answer against the user's security question on file.

I have completed items 1-3.

I have extended other login controls by exposing the templates, playing
around with FindControl, and writing functions on the OnWhatever events, so
I am familiar with the basic concepts involved in extending the
functionality of these things.

In the case of a ChangePassword control I imagine I will want to inspect the
answer to the security question on file during the
ChangePassword1 _ChangingPasswo rd event and e.Cancel it in the event that the
answer is incorrect.

I don't know how exactly to do this comparison, especially since the answers
to the security questions are hashed. Somehow in code I would need to do a
comparison of the cryptographic "fingerprin ts" of the user's input vs. the
hashed answer on file.

Any help out there? Somewhere someone has written a tutorial on how to do
all of the above, I'm sure, but even a few snips of code would probably set
me on my way.

Thanks!

Aug 15 '08 #1
2 7662
Hi Ken,

From your description you want to get the security answer in the
ChangingPasswor d event handler of ChangePassword control. You're using
ASP.NET membership, the provider is
System.Web.Secu rity.SqlMembers hipProvider and the passwordFormat is Hashed,
which is the default setting. If my understanding is wrong please correct
me.

If so it's not that easy to retrieve the password answer. If you want to do
so I suggest you to write a custom provider. You can refer to the source
code of System.Web.Secu rity.SqlMembers hipProvider. In its ResetPassword
method it calls base.EncodePass word to encode the password answer and then
call a stored procedure aspnet_Membersh ip_ResetPasswor d to reset the
password. You can encode the password answer in the same way and compare it
with the password answer stored in the database.

The above workaround is a bit complex. Here I would suggest you to use a
tricky one:

<asp:ChangePass word DisplayUserName ="true" ID="ChangePassw ord1"
runat="server"
onchangingpassw ord="ChangePass word1_ChangingP assword">
<ChangePassword Template>
<table border="0" cellpadding="4" >
<tr>
<td>
<table border="0" cellpadding="0"
style="font-family: Verdana;">
<tr>
<td align="center" colspan="2"
style="color: White;
background-color: #1C5E55;

font-weight: bold;">
Change Your Password</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Black;
font-style: italic;">
Enter your username and old
password.
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedContr olID="UserName"
ID="UserNameLab el" runat="server">
User Name:</asp:Label>
</td>
<td>
<asp:TextBox ID="UserName"
runat="server"> </asp:TextBox>
<asp:RequiredFi eldValidator
ControlToValida te="UserName"
ErrorMessage="U ser Name is
required."
ID="UserNameReq uired"
runat="server"
ToolTip="User Name is
required."

ValidationGroup ="ChangePasswor d1">*</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedContr olID="CurrentPa ssword"
ID="CurrentPass wordLabel"

runat="server"> Password:</asp:Label>
</td>
<td>
<asp:TextBox ID="CurrentPass word"
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator

ControlToValida te="CurrentPass word"
ErrorMessage="P assword is
required."
ID="CurrentPass wordRequired"
runat="server"
ToolTip="Passwo rd is required."

ValidationGroup ="ChangePasswor d1">*</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedContr olID="NewPasswo rd"
ID="NewPassword Label"
runat="server"> New Password:
</asp:Label></td>
<td>
<asp:TextBox ID="NewPassword "
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator
ControlToValida te="NewPassword "
ErrorMessage="N ew Password is
required."
ID="NewPassword Required"
runat="server"
ToolTip="New Password is
required."

ValidationGroup ="ChangePasswor d1">*
</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedContr olID="ConfirmNe wPassword"
ID="ConfirmNewP asswordLabel"
runat="server"> Confirm New
Password:
</asp:Label>
</td>
<td>
<asp:TextBox
ID="ConfirmNewP assword"
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator

ControlToValida te="ConfirmNewP assword"
ErrorMessage="C onfirm New
Password is required."
ID="ConfirmNewP asswordRequired "
runat="server"
ToolTip="Confir m New Password is
required."

ValidationGroup ="ChangePasswor d1">*
</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2">
<asp:CompareVal idator
ControlToCompar e="NewPasswor d"

ControlToValida te="ConfirmNewP assword"
Display="Dynami c"
ErrorMessage="T he confirm New
Password must match the New Password entry."
ID="NewPassword Compare"
runat="server"

ValidationGroup ="ChangePasswor d1">
</asp:CompareVali dator>
</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Red;">
<asp:Literal
EnableViewState ="False"
ID="FailureText " runat="server">
</asp:Literal>
</td>
</tr>
<tr>
<td>
Question:<asp:L abel ID="Label1"
runat="server" Text="question"
onload="Label1_ Load"></asp:Label>
<br />
Answer: <asp:TextBox ID="PasswordAns wer"
runat="server"> </asp:TextBox>
<asp:CompareVal idator
ID="CompareVali dator1" runat="server"
ControlToValida te="PasswordAns wer"
ErrorMessage="P lease input the answer!"></asp:CompareVali dator>
<br />
</td></tr>
<tr>
<td align="right">
<asp:Button BackColor="Whit e"
BorderColor="#C 5BBAF"
BorderStyle="So lid"
BorderWidth="1p x"
CommandName="Ch angePassword"
Font-Names="Verdana"
ForeColor="#1C5 E55"
ID="ChangePassw ordPushButton"
runat="server"
Text="Change Password"

ValidationGroup ="ChangePasswor d1" />
</td>
<td>
<asp:Button BackColor="Whit e"
BorderColor="#C 5BBAF"
BorderStyle="So lid"
BorderWidth="1p x"
CausesValidatio n="False"
CommandName="Ca ncel"
Font-Names="Verdana"
ForeColor="#1C5 E55"
ID="CancelPushB utton"
runat="server"
Text="Cancel" />
</td>
</tr>

</table>
</td>
</tr>
</table>

</ChangePasswordT emplate>
</asp:ChangePassw ord>

protected void ChangePassword1 _ChangingPasswo rd(object sender,
LoginCancelEven tArgs e)
{

ChangePassword cp=sender as ChangePassword;
TextBox newpassword= cp.Controls[0].FindControl("N ewPassword") as
TextBox;
TextBox passwordanswer= cp.Controls[0].FindControl("P asswordAnswer")
as TextBox;

try
{ //test is my username. You need to use the correct one in your
case
MembershipUser user = Membership.GetU ser("test");
string autogeneratedpa ssword
=user.ResetPass word(passwordan swer.Text);
//now a new auto-generated password is got, we have to change it
to a new one
user.ChangePass word(autogenera tedpassword, newpassword.Tex t);
//Password successfully changed. You can show a message here
Response.Write( "Done!");
}
catch (MembershipPass wordException ex)
{
//the password answer is incorrect
Response.Write( "Incorrect! ");
}
//cancel the subsequent process since we've changed the password.
e.Cancel = true;

}

From above code you can see I called MembershipUser. ResetPassword method
again. This is used to validate the password answer that is input by the
user. If the exception is thrown we can know the password answer is
incorrect.

Please let me know if it works. Looking forward to your test result.

Regards
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Ken Fine" <ke*****@newsgr oup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword * control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory :
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: meta.urel.washi ngton.edu 128.95.9.50
| Path: TK2MSFTNGHUB02. phx.gbl!TK2MSFT NGP01.phx.gbl!T K2MSFTNGP05.phx .gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7390 3
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecover y tool. I have implemented the PasswordRecover y with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPassw ordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1 _ChangingPasswo rd event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprin ts" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 15 '08 #2
Hi Ken,

Is this problem solved? Please feel free to let me know if you need further
assistance.

Regards,
Allen Chen
Microsoft Online Support
--------------------
| From: "Ken Fine" <ke*****@newsgr oup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword * control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory :
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: meta.urel.washi ngton.edu 128.95.9.50
| Path: TK2MSFTNGHUB02. phx.gbl!TK2MSFT NGP01.phx.gbl!T K2MSFTNGP05.phx .gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7390 3
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecover y tool. I have implemented the PasswordRecover y with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPassw ordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1 _ChangingPasswo rd event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprin ts" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 25 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
3513
by: razvan | last post by:
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
4
2719
by: David R. | last post by:
Is there a way to remove the security question step from the Password Recovery control? i.e. I just want the user to enter the username and have the password emailed to him immediately. No need for the security question.
1
1524
by: J.G. | last post by:
I have set up my web application to utilize an ADAM membership provider. Everything is going well, except I do not wish to utilize the built-in PasswordRecovery control (I don't want the randomly generated password emailed to the user). I want to ask the user the security question, check the answer, and then allow them to immediately change their password. By utilizing the built-in CreateUserWizard, the security answer is...
0
916
by: Showjumper | last post by:
I need to get the answer to the security question. This is to allow the user the change his/her password. I am not using any of the server controls like the creatuser control but instead calling the needed method in codebehind. It appears that there is no mthod like GetAnswer or otherwiser obvioulsy labeled. Thanks Ashok
0
1124
by: davidr | last post by:
Hi, I am having a weird problem with the change password control. Unlike the createwizard control that creates new users and passwords, the changepassword control has no way of setting the View's index. So after the password is changed the success view comes up. I click continue and go back to a gridview I have displaying all of the users. If the admin user clicks on any member in the grid I redisplay the changepassword control. The...
4
3071
by: vincent90152900 | last post by:
How to remove Security Question and Security Answer from membership provider? Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for replying. CreateNewWizard.aspx <asp:CreateUserWizard ID="CreateUserWizard1" runat="server"> <WizardSteps> <asp:CreateUserWizardStep runat="server"> </asp:CreateUserWizardStep> ...
0
1451
by: asumal | last post by:
Hello I am new to ASP.NET. I am using CreateUserWizard control to register & create a user. I am using Membership API. I have a Cancel button on the second step of CreateUserWizard control alongwith Create User button & Previous button. Actually, i have added some more textboxes on the default control for taking user's personal information. The problem is that when i call the below mentioned code all textboxes for user's personal information...
1
1737
by: PJ6 | last post by:
Setting e.Cancel = true on the ChangingPassword event, fired from a ChangePassword control, does not show its failure message. Do I have to use a MembershipProvider, or is there a way to simply use this control by handing events? If I can't show the failure message on demand it's kind of useless. Paul
1
2348
by: Jeff | last post by:
hi asp.net 2.0 Here is the ChangePassword control markup on my webpage. The problem is that when I click the Submit button nothing happens (except that the textfields in the ChangePassword control is emptied)... any suggestions what I do wrong here?
0
9075
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8973
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8925
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7810
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6561
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5903
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4404
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
2392
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2028
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.