Home/ Questions/Q 6049213
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T07:33:01+00:00

unfortunately, we’ve been requested to offer our users the ability to get an email

  • 0

unfortunately, we’ve been requested to offer our users the ability to get an email sent to their registered account, their password .. if they have forgotten their password.

“Click here if you have forgotten your password”

So – this means i need to be able to DECRYPT the password. I don’t like it, but that’s the requirements. I’m used to use a SALT and HASHING a password with SHA1. then storing the salt and the hashed password into the repository.

Not sure what I should be doing if I wish to store the password which can be decrypted now. Is it more or less the same, but I should use AES instead?

Would love some help (and preferably code samples in .NET).

Cheers!

NOTE: Please don’t turn this thread into a topic about HASHING vs DECRYPTING vs OpenAuth.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can do one of the following:

    1. Change the user’s password temporarily and email the user the new password, which he is required to change in the next login.
    2. Have a functionality to reset the password instead. It is quite similar to the first option, but instead you need to create a temporary token and send that to the user as a link.
    3. If you really, really need to encrypt the password and send it to the user over plaintext, then you need to find a good encryption scheme to protect the passwords while they’re in the database. You can simply create a random key or a derived key using Rfc2898DeriveBytes and then you can use AES combined with HMAC (for verification) to encrypt and store the password. Your application needs to be aware of this key to be able to decrypt the data, which is a security risk. Possibly you can store this key in the web.config file or something similar which should never be accessible from the outside and protect it using DPAPI or the RSAKeyContainer.

    If you go with option 1 or 2, you don’t need to be able to decrypt the password, so you can use a hash + salt, which will be the most secure method.

    • 0