3

I am building a login/registration section for our members area in Umbraco 7.1.7.

I would like to send a user their password in plain text via email.

The idea is, if the user forgets their password, they can simply enter their email address (which also serves as their username) and clicks the button: enter image description here
Now, I know Umbraco uses the ASP.NET Membership Provider and hashes passwords, which is nice but I need to access the plaintext version to send in the email.

I have changed my web.config to include this:

<membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
     <providers>
       <clear />
       <add name="UmbracoMembershipProvider" 
            type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" 
            minRequiredNonalphanumericCharacters="0" 
            minRequiredPasswordLength="0" 
            useLegacyEncoding="true" 
            enablePasswordRetrieval="true" 
            enablePasswordReset="true" 
            requiresQuestionAndAnswer="false" 
            defaultMemberTypeAlias="Member" 
            passwordFormat="clear" />

and my Controller Action method looks like this:

// Forgot password logic to send email
[ActionName("MvcMemberForgot")]
public ActionResult MvcMemberForgot(MvcMemberForgotModel model)
{
    string emailaddress = model.Email.ToString();    // The users entered email address.
    var member = Services.MemberService.GetByEmail(emailaddress);

    var sb = new StringBuilder();   // To build the message.
    sb.Append("Here is the password you chose for this email address: ");  
    sb.Append(password);  // I need a password value here...

    // Send the email.  
    library.SendMail("noreply@company.co.uk", emailaddress, "Password", sb.ToString(), true);
    return CurrentUmbracoPage();
}

I can use var x = member.RawPasswordValue; to return the hashed password, is there a way to get the password the user typed in when they registered in a similar way?

Ḟḹáḿíṅḡ Ⱬỏḿƀíé
  • 2,128
  • 5
  • 23
  • 33

1 Answers1

10

I wouldn't send the emails to people in plain text, that's very poor security practice. The way I approached this recently was to do the following:

  • add a property to the member (a label) for storing a reset timestamp
  • have a reset request form that validates the user by email address, and then sets the label to a timestamp set 30 minutes to the future
  • send the member an email with a link to another form page, passing in their email and timestamp
  • on the form, get the email and timestamp, verify that the email exists, and that the timestamp hasn't expired
  • if they pass those tests, give them the option to enter and confirm a new password that you then save against the user (clearing the timestamp from the label at the same time)

My approach was based on the code from this example repo: https://github.com/warrenbuckley/CWS-Umbraco-Standard-Membership which contains a lot of useful examples of working with members!

Tim
  • 4,217
  • 1
  • 15
  • 21
  • Thanks for a good concise answer, and good general advice about security. The link is useful too. – Ḟḹáḿíṅḡ Ⱬỏḿƀíé Jul 30 '15 at 10:55
  • So what hinders a hacker to request a password reset, and afterwards send the email with timestamp himself, the timestamp is predictable isn't it? – martinstoeckli Aug 13 '15 at 08:09
  • Not a great deal, there might be some trial and error in getting the exact timestamp though (due to variances in the hackers/the servers time settings). You could encrypt the timestamp as well if you wanted to add additional security? Or have two properties, one for the timestamp that's just used for checking, and use something more secure for the verification of the reset instead of the timestamp. – Tim Aug 18 '15 at 14:33