Thread: Question about EncryptKey

I changed my EncryptKey value in Web.Config and then after I did this it dawned on my that with a differant key it shouldn't be able to decrypt the passwords on the accounts already in the database. When I tried to log in though I was able to get in just fine. Am I missing something? Shouldn't changing the encrypt key prevent the site from decrypting the old passwords?

The encryptkey controls the encryption for the security log in the admin site, and the encryption of CC numbers. The passwords for customer accounts are a one way hash based on the saltkey.

Ok, so if I import customers into say my dev site and then copy that database to my live site when we put it up I shouldn't run into any problems with the password encryptions?

How are you importing them? As long as you are moving over the entire customer record (including the SaltKey) you won't run into any issues. If you neglect the SaltKey and it's not exactly the same as in the old database, the passwords will no longer work and there will be no way for you to get them back.

Well I can generate the encryption on the password using the routines in the site as is. I have to create the customer database for the import from 2 databases and 3 tables (current website database for the password and email address, our CRM software database for the current customer information and the other table is the Addresses table from our CRM software) I am going to write several queries to combine that data into one table that is in the same format as the new Customer and Address tables in your software but if I do that the passwords would go in as clear text. I was going to write a quick script that would zip through all the passwords and save them back encrypted. I would then backup the entire database and copy it to the new location for the live site.

If the passwords have to write in as plain text...just set the SaltKey to -1 when importing. After you've completed the import, just touch the web.config file, run an iisreset, or restart the site through your hosting control panel. The site will automatically encrypt any plain text passwords for records that have a SaltKey of -1 when it restarts

Very cool! Thanks that worked.