is
Jon Skeet
Retrieve the hashed password from the database to the text
I want to do the Forgot your password? in the program, I already could retrieve the username and password that hashed from the database and send it to the email user (I use my own email as user), but what I am getting on the email is still the hashed password that actually stored in the database (not the actual password before it hashed), and once I could not figured it out how to retrieve the actual password and I am getting is either false (boolean) or the hashed password.
Could you guys help me?
Here is the code that I am using:
Below code is for retrieve the information: (SystemManager class)
public static void RecoverMember(string _value1, string _selectedIndex, string _value2, Form _windowsForm, TextBox _windowsTextBox)
{
using (OleDbConnection connection = new OleDbConnection(connectionString))
{
string query = "SELECT * FROM [Member] WHERE [Email] = @Email";
connection.Open();
using (OleDbCommand command = new OleDbCommand(query, connection))
{
command.Parameters.Add("@Email", OleDbType.VarChar);
command.Parameters["@Email"].Value = _value1;
using (OleDbDataReader reader = command.ExecuteReader())
{
if (reader.Read())
{
UserInformation.FirstName = (string)reader["FirstName"];
UserInformation.LastName = (string)reader["LastName"];
UserInformation.Name = (string)reader["Username"];
string securityQuestion = (string)reader["SecurityQuestion"];
string securityAnswer = (string)reader["SecurityAnswer"];
string password = (string)reader["Password"];
_isValidRecoverSecurityQuestion = BCrypt.ValidateHash(_selectedIndex, securityQuestion);
_isValidRecoverSecurityAnswer = BCrypt.ValidateHash(_value2, securityAnswer);
_recoveredPassword = BCrypt.ValidateHash(password, password);
UserInformation.Password = Convert.ToString(_recoveredPassword);
if (_isValidRecoverSecurityQuestion && _isValidRecoverSecurityAnswer)
{
Authenticate _authenticate = new Authenticate();
_authenticate.ShowDialog();
ShowMessageBox("Your credentials has been sent to your email.", "Success", 2);
SendRecoverCredentials(_value1);
_windowsForm.Hide();
_windowsForm.Close();
}
}
if (!_isValidRecoverSecurityQuestion || !_isValidRecoverSecurityAnswer)
{
Authenticate _authenticate = new Authenticate();
_authenticate.ShowDialog();
ShowMessageBox("Either your email, security question or answer incorrect. Please try again.", "Error", 1);
ClearTextBoxes(_windowsForm.Controls);
_windowsTextBox.Focus();
}
reader.Close();
}
}
connection.Close();
}
}
Below code is for send the email to the user: (SystemManager class)
public static void SendRecoverCredentials(string _to)
{
try
{
SmtpClient _smtp = new SmtpClient();
MailMessage _message = new MailMessage();
_message.From = new MailAddress("credentialhelper@gmail.com", "SIA - Point of Sales - Support -");
_message.To.Add(new MailAddress(_to, UserInformation.FirstName + " " + UserInformation.LastName));
_message.Subject = "Credentials Recover";
_message.Body = "Dear " + UserInformation.FirstName + " " + UserInformation.LastName + "," +
"\n\n\nBelow are your credentials:" + "\n\n\n\n" + "Username: " + UserInformation.Name + "\nPassword: " + UserInformation.Password +
"\n\n\n\nTo avoid for the future message been moved to the spam or junk folder, please add credentialhelper@gmail.com to be your contact list." +
"\n\n\n*** This is an automatically computer generated message, please do not reply to this message ***";
_smtp.Port = 587;
_smtp.Host = "smtp.gmail.com";
_smtp.EnableSsl = true;
_smtp.UseDefaultCredentials = false;
_smtp.Credentials = new NetworkCredential("credentialhelper@gmail.com", "(the password does not shown in here)");
_smtp.DeliveryMethod = SmtpDeliveryMethod.Network;
_smtp.Send(_message);
ShowMessageBox("Your message has been successfully sent.", "Success", 2);
}
catch (Exception ex)
{
ShowMessageBox("Message : " + ex + "\n\nEither your e-mail or password incorrect. (Are you using Gmail account?)", "Error", 1);
}
}
And here is where I am using it for: (Recover form)
// button1_Click is for the Submit button
void button1_Click(object sender, EventArgs e)
{
if (this.textBox1.Text == string.Empty || string.IsNullOrWhiteSpace(this.textBox1.Text))
{
SystemManager.ShowMessageBox("E-mail required.", "Information", 2);
}
else if (_isCheckedEmail != true)
{
SystemManager.ShowMessageBox("You have to check the validity of your e-mail before proceed.", "Information", 2);
}
else if (this.textBox2.Text == string.Empty || string.IsNullOrWhiteSpace(this.textBox2.Text))
{
SystemManager.ShowMessageBox("Security Answer required.", "Information", 2);
}
else
{ // textBox1 is for the e-mail field
// comboBox1 is for the security question field
// textbox2 is for the security answer field
SystemManager.RecoverMember(this.textBox1.Text, this.comboBox1.Text, this.textBox2.Text, this, this.textBox1);
}
}
And here is the designer of the Recover Form:
//CheckValidity button is for the check whether the e-mail is valid or
not. //Reset button is for clear the textboxes in the form.
And here is the database image along with the email message:
So sorry for the long posting. And I really appreciate your answer. Thank you very much.
UPDATE 1:
If I change the Password: UserInformation.Password from
_message.Body = "Dear " + UserInformation.FirstName + " " + UserInformation.LastName + "," +
"\n\n\nBelow are your credentials:" + "\n\n\n\n" + "Username: " + UserInformation.Name + "\nPassword: " + UserInformation.Password +
"\n\n\n\nTo avoid for the future message been moved to the spam or junk folder, please add credentialhelper@gmail.com to be your contact list." +
"\n\n\n*** This is an automatically computer generated message, please do not reply to this message ***";
to be Password: _recoveredPassword.
What I am getting is that the hashed password is shown instead of false.
The whole point of hashing is that it's one way - that you can't retrieve the original password from the hash.
A "forgot your password" feature shouldn't email the existing password to the user... it should generate a temporary "reset-only" password (ideally with a short expiry) and email that to the user, within a link. The user then follows the link, which allows them to set the password to a new "full" one. (You really don't want the "secret" that's been sent by email to be a long-term password.) They
The fact that anything sensitive is sent by email is somewhat non-ideal... if this is for very sensitive data, you wouldn't want that email on its own to be enough to change the password (or log in) - it would be better if it were combined with some code displayed on the browser on the page displayed when the user requests the reset link. Then there's two-factor authentication and all kinds of other security options... but at the very least, a reset link is a start.
You should never email a plaintext version of a password that the user has entered themselves. (I get very cross when other sites do this.) While many users know that they shouldn't use the same password on multiple sites, they often still do - so if that email is intercepted, you haven't just put their account on your site at risk, but potentially other sites too.
See more on this question at Stackoverflow