If you’re using the Membership API in asp.net and need to retrieve a user’s password, you can do so by doing this:

MembershipUser user = Membership.GetUser("username");
string password = user.GetPassword();
string saferPassword = user.GetPassword("password answer");

The latter is safer as it requires you to pass in the user’s security answer as an added check. This will give you the unencrypted password [The default membership system stores hashed passwords in the database].

To support this feature, you’ll need to have password retrieval enabled in the web.config. You can do this in the <membership> node under <system.web>. It’ll look something like this:

<membership defaultProvider="myProvider"> 
      <providers> 
        <add connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" 
          enablePasswordReset="true" requiresQuestionAndAnswer="true" 
          applicationName="/" requiresUniqueEmail="false" passwordFormat="Encrypted" 
          maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" 
          minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" 
          passwordStrengthRegularExpression="" name="myProvider" 
          type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

     </providers>

</membership>

Hope that helps.

As Richard points out, hashed passwords cannot be retrieved. The hash is one way while having the password format set to encrypted enables retrieval of passwords. I’ve updated the web.config code to ensure that passwords can be retrieved.

Tags: ASP.NET