Adding security question/answer check to ASP.NET *ChangePassword* control

RE: Adding security question/answer check to ASP.NET *ChangePassword * control

Hi Ken,

From your description you want to get the security answer in the
ChangingPasswor d event handler of ChangePassword control. You're using
ASP.NET membership, the provider is
System.Web.Secu rity.SqlMembers hipProvider and the passwordFormat is Hashed,
which is the default setting. If my understanding is wrong please correct
me.

If so it's not that easy to retrieve the password answer. If you want to do
so I suggest you to write a custom provider. You can refer to the source
code of System.Web.Secu rity.SqlMembers hipProvider. In its ResetPassword
method it calls base.EncodePass word to encode the password answer and then
call a stored procedure aspnet_Membersh ip_ResetPasswor d to reset the
password. You can encode the password answer in the same way and compare it
with the password answer stored in the database.

The above workaround is a bit complex. Here I would suggest you to use a
tricky one:

<asp:ChangePass word DisplayUserName ="true" ID="ChangePassw ord1"
runat="server"
onchangingpassw ord="ChangePass word1_ChangingP assword">
<ChangePassword Template>
<table border="0" cellpadding="4" >
<tr>
<td>
<table border="0" cellpadding="0"
style="font-family: Verdana;">
<tr>
<td align="center" colspan="2"
style="color: White;
background-color: #1C5E55;

font-weight: bold;">
Change Your Password</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Black;
font-style: italic;">
Enter your username and old
password.
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedContr olID="UserName"
ID="UserNameLab el" runat="server">
User Name:</asp:Label>
</td>
<td>
<asp:TextBox ID="UserName"
runat="server"> </asp:TextBox>
<asp:RequiredFi eldValidator
ControlToValida te="UserName"
ErrorMessage="U ser Name is
required."
ID="UserNameReq uired"
runat="server"
ToolTip="User Name is
required."

ValidationGroup ="ChangePasswor d1">*</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedContr olID="CurrentPa ssword"
ID="CurrentPass wordLabel"

runat="server"> Password:</asp:Label>
</td>
<td>
<asp:TextBox ID="CurrentPass word"
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator

ControlToValida te="CurrentPass word"
ErrorMessage="P assword is
required."
ID="CurrentPass wordRequired"
runat="server"
ToolTip="Passwo rd is required."

ValidationGroup ="ChangePasswor d1">*</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedContr olID="NewPasswo rd"
ID="NewPassword Label"
runat="server"> New Password:
</asp:Label></td>
<td>
<asp:TextBox ID="NewPassword "
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator
ControlToValida te="NewPassword "
ErrorMessage="N ew Password is
required."
ID="NewPassword Required"
runat="server"
ToolTip="New Password is
required."

ValidationGroup ="ChangePasswor d1">*
</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedContr olID="ConfirmNe wPassword"
ID="ConfirmNewP asswordLabel"
runat="server"> Confirm New
Password:
</asp:Label>
</td>
<td>
<asp:TextBox
ID="ConfirmNewP assword"
runat="server"
TextMode="Passw ord">
</asp:TextBox>
<asp:RequiredFi eldValidator

ControlToValida te="ConfirmNewP assword"
ErrorMessage="C onfirm New
Password is required."
ID="ConfirmNewP asswordRequired "
runat="server"
ToolTip="Confir m New Password is
required."

ValidationGroup ="ChangePasswor d1">*
</asp:RequiredFie ldValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2">
<asp:CompareVal idator
ControlToCompar e="NewPasswor d"

ControlToValida te="ConfirmNewP assword"
Display="Dynami c"
ErrorMessage="T he confirm New
Password must match the New Password entry."
ID="NewPassword Compare"
runat="server"

ValidationGroup ="ChangePasswor d1">
</asp:CompareVali dator>
</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Red;">
<asp:Literal
EnableViewState ="False"
ID="FailureText " runat="server">
</asp:Literal>
</td>
</tr>
<tr>
<td>
Question:<asp:L abel ID="Label1"
runat="server" Text="question"
onload="Label1_ Load"></asp:Label>
<br />
Answer: <asp:TextBox ID="PasswordAns wer"
runat="server"> </asp:TextBox>
<asp:CompareVal idator
ID="CompareVali dator1" runat="server"
ControlToValida te="PasswordAns wer"
ErrorMessage="P lease input the answer!"></asp:CompareVali dator>
<br />
</td></tr>
<tr>
<td align="right">
<asp:Button BackColor="Whit e"
BorderColor="#C 5BBAF"
BorderStyle="So lid"
BorderWidth="1p x"
CommandName="Ch angePassword"
Font-Names="Verdana"
ForeColor="#1C5 E55"
ID="ChangePassw ordPushButton"
runat="server"
Text="Change Password"

ValidationGroup ="ChangePasswor d1" />
</td>
<td>
<asp:Button BackColor="Whit e"
BorderColor="#C 5BBAF"
BorderStyle="So lid"
BorderWidth="1p x"
CausesValidatio n="False"
CommandName="Ca ncel"
Font-Names="Verdana"
ForeColor="#1C5 E55"
ID="CancelPushB utton"
runat="server"
Text="Cancel" />
</td>
</tr>

</table>
</td>
</tr>
</table>



</ChangePasswordT emplate>
</asp:ChangePassw ord>

protected void ChangePassword1 _ChangingPasswo rd(object sender,
LoginCancelEven tArgs e)
{

ChangePassword cp=sender as ChangePassword;
TextBox newpassword= cp.Controls[0].FindControl("N ewPassword") as
TextBox;
TextBox passwordanswer= cp.Controls[0].FindControl("P asswordAnswer")
as TextBox;

try
{ //test is my username. You need to use the correct one in your
case
MembershipUser user = Membership.GetU ser("test");
string autogeneratedpa ssword
=user.ResetPass word(passwordan swer.Text);
//now a new auto-generated password is got, we have to change it
to a new one
user.ChangePass word(autogenera tedpassword, newpassword.Tex t);
//Password successfully changed. You can show a message here
Response.Write( "Done!");
}
catch (MembershipPass wordException ex)
{
//the password answer is incorrect
Response.Write( "Incorrect! ");
}
//cancel the subsequent process since we've changed the password.
e.Cancel = true;

}

From above code you can see I called MembershipUser. ResetPassword method
again. This is used to validate the password answer that is input by the
user. If the exception is thrown we can know the password answer is
incorrect.

Please let me know if it works. Looking forward to your test result.

Regards
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsof t.com.

=============== =============== =============== =====
Get notification to my posts through email? Please refer to

ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| From: "Ken Fine" <kenfine@newsgr oup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword * control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6AE7961-017F-4633-8287-9041A12ED72B@mi crosoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory :
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: meta.urel.washi ngton.edu 128.95.9.50
| Path: TK2MSFTNGHUB02. phx.gbl!TK2MSFT NGP01.phx.gbl!T K2MSFTNGP05.phx .gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7390 3
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecover y tool. I have implemented the PasswordRecover y with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPassw ordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1 _ChangingPasswo rd event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprin ts" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

RE: Adding security question/answer check to ASP.NET *ChangePassword * control

Hi Ken,

Is this problem solved? Please feel free to let me know if you need further
assistance.

Regards,
Allen Chen
Microsoft Online Support
--------------------
| From: "Ken Fine" <kenfine@newsgr oup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword * control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6AE7961-017F-4633-8287-9041A12ED72B@mi crosoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory :
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: meta.urel.washi ngton.edu 128.95.9.50
| Path: TK2MSFTNGHUB02. phx.gbl!TK2MSFT NGP01.phx.gbl!T K2MSFTNGP05.phx .gbl
| Xref: TK2MSFTNGHUB02. phx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:7390 3
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecover y tool. I have implemented the PasswordRecover y with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPassw ordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1 _ChangingPasswo rd event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprin ts" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|