get the actual password from aspnet_memberships

Question

get the actual password from aspnet_memberships

ali.mahmoud.habib

Mr or Mrs. 500

Points: 500
More actions
June 4, 2012 at 7:14 am

#262301

I want to select the password from the aspn_membership (.NET memberships tables) and decrypt it
any idea how to do that

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

Steve Jones - SSC Editor SSC Guru Points: 728164 More actions · Answer 1

You cannot do that. The point of a hash is a one way function applied to a password. It's possible there are multiple passwords that could hash to the same value.

You can set a new password and get a new hash.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

ali.mahmoud.habib Mr or Mrs. 500 Points: 500 More actions · Answer 2

Steve Jones - SSC Editor (6/4/2012)
You cannot do that. The point of a hash is a one way function applied to a password. It's possible there are multiple passwords that could hash to the same value.
You can set a new password and get a new hash.

see my updated question please

Steve Jones - SSC Editor SSC Guru Points: 728164 More actions · Answer 3

First, please don't edit the question to change it as it then wrecks the flow of the discussion. If you have a follow up, ask it. If you have a different question, then start a new thread.

In terms of decryption, how is the password stored in the table? I am not sure what you are referencing here as there are multiple frameworks that might use a table by that name.

Likely it's a hash, and then there is no decryption. Hashing uses a one way function, which by definition, does not allow decryption.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

Lowell SSC Guru Points: 323482 More actions · Answer 4

to continue on what Steve is saying, a hashed password is never unencrypted to it's original value.

what happens is a potential password is hashed,and the two hashes can then be compared. this makes it very secure, because the pasword is never transmitted...only the hash of the passwords.

here's a very basic example of what happens...if the "false" method is returned, the login stuff says something like "invalid usenrame or password".

declare @val varbinary(max)

SELECT @val = HashBytes('SHA1','MySecret Phrase')

SELECT

CASE

WHEN @val = HashBytes('SHA1','MyOther Phrase')

THEN 'True'

ELSE 'FALSE'

END

so they onylthing you can do is reset the password to a new, known password if you need the password to be a known value.

Lowell

--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

drew.allen SSC Guru Points: 76776 More actions · Answer 5

This is simply no valid reason to read stored passwords. Even if it were possible, providing the capability to do so would create a huge security risk.

Drew

J. Drew Allen
Business Intelligence Analyst
Philadelphia, PA

Steve Jones - SSC Editor SSC Guru Points: 728164 More actions · Answer 6

drew.allen (6/4/2012)
This is simply no valid reason to read stored passwords. Even if it were possible, providing the capability to do so would create a huge security risk.
Drew

Very true, and this is why hashes are stored.

If a process or person can't remember the password, set a new one. If you can read an old one, then you are asking to potentially have someone making changes under another user's account.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com