Thread: Accessing Customer Password

We are planning to go live with our new site on ML64 platform. We have some classic .asp websites that use the store user email/password information for authentication purpose. When we migrate our main ecommerce website to aspdotnet storefront platform, all the passwords will be encrypted. In such a case other .asp web sites cannot use that information for authentication.

Is there a way to still authenticate users based on customer credentials? In other words, how can I decrypt the salted password in user table from a classic asp website?

Any pointers or suggestions in this regard is greately appreciated.

Mohan

I believe you only have one option and that is to set all passwords to something random and have them change them. Once the password is encrypted in your old system there is no way to undo it. This is assuming your passwords were encrypted with a one-way encryption algorithm which is standard practice for passwords.

Agreed. The passwords are salted+hashed, which is one way. There isn't any way to decrypt the customer passwords once they are stored in the database. So, you're only option is to set all passwords into something random and require them to change it once they logged in (set PwdChangeRequired = 1 in the customer table).

Thanks for the info. But in our case, we don't have any issues with user auth on the main site

In our case we also have some subsidiary ASP sites which have user login pages and use sql queries against customer table to validate user credentials. All such queries will fail since the user passwords are encrypted.


Is there any way to replicate the security.vb functionality outside of storefront environment so that other sites too can validate users?

Thanks
Mohan

You could write functionality in another application that mimics our hashing logic, yes. Another way to handle it would be to mod WSI to support user authentication against an aspdotnetstorefront database using our internal logic (please make sure your communication is secure).

"You could write functionality in another application that mimics our hashing logic, yes"

How could I get details to mimic your hashing logic?

Originally Posted by wkelly

"You could write functionality in another application that mimics our hashing logic, yes"

How could I get details to mimic your hashing logic?

Did you find any answer for that?

No answer to this

I've done it before, but I want to make entirely sure I understand what you are after. You have another site that you want to allow people to gain access from ASPDNSF, or you have another site you want to access ASPDNSF from?

Its the latter. You can say that I want to port my data to another DB (say in an Open Source environment) and hence need some logic which will decrypt passwords. My other option is resetting passwords of all users and sending all of them the new password for login which will not be a good solution from a customer perspective.