I have a custom authentication mechanism in a .NET app that stores the hashes of user passwords and then tests entered passwords against that hash to grant authentication ticket.
With the passwords being hashed, obviously I don’t know my users passwords.
For debugging etc, I need to be able to impersonate users and log in to their account, but need some system of getting around the fact that I don’t have the password.
One option I have considered is a secondary test on authentication failure against a master password, though this I consider a little weak since if the master password is compromised, then all accounts are accessible if the email address is known.
Does any one have a good solution for this issue?
This is an admittedly indirect response, but building functionality to actually enable the application to circumvent the authentication process is a risky approach. I’d look at what the actual processes are you’re attempting to debug, what it is about particular accounts that helps you test this then focus on working out that problem. Perhaps you’ll solve this via more robust unit testing, perhaps you even need test accounts in the same roles to replicate the behaviour. Either way, I’d avoid deliberately breaking your own authentication scheme!
BTW, hopefully when you say “stores the hashes of user passwords” there’s a cryptographically random salt in there as well.