Changing passwords in ASP.NET 2.0 applications from the database

At one time or another I think everyone has been locked out of a system and not been able to get back in. This can be especially troubling if you happen to be locked out of your administrator account. I have seen many people asking how to reset passwords for the host and admin accounts with DotNetNuke so I thought I would write up some simple instructions on how to change a password via the database for any ASP.NET 2.0 website.

The first thing to note is that you must know the working password of another account on your site. For this example I know the password of my "admin" account for DotNetNuke, you can use any account in your system that you know the password for. Once you have identified the user account, run the following query to obtain the needed user information. You will need to know the username and application name for the specific user account. In my example below the username is admin and the applicaton name is DotNetNuke.

SELECT password, passwordformat, passwordsalt
FROM aspnet_membership am
    INNER JOIN aspnet_users au
        ON (au.userid = am.userid)
    INNER JOIN aspnet_applications aa
        ON (au.applicationId = aa.applicationid)
WHERE au.username = 'admin'
    AND aa.applicationname = 'DotNetNuke'

You will want to copy the results of this query to your clipboard as you will need this information for the next step of the process. Next we will be using the ASP.NET stored procedure "aspnet_Membership_setPassword" to set the password value for our user. Whne calling this stored procedure we must pass the following values to it. ApplicationName, Username, Password, PasswordSalt, ChangeTime, passwordFormat. Below is an example, you will simply need to substitute your values.

--Prepare the change date
DECLARE @changeDate datetime
set @changeDate = getdate()

--set the password
exec aspnet_Membership_setPassword 'DotNetNuke',
                        'TestUser',
                        'DM1tZvBjM+27Eck5eI1TWFeG42XuJnMuin3jqFOtMjS83RN6d7dFbQ==',
                        '4e5Bb5jOOMYu/JFXVdRmlA==',
                        @changeDate,
                        2

--Sets the password to dnnadmin

After running this script you should now be able to login with the newly set password. A few things to remember about this method. First to guarantee that this will work correctly the known user account information must be taken from the same application as the machine and validation keys change the encryption methods used for setting the passwords. Also, you should remember that this method will work with ANY ASP.NET 2.0 website. This can be very helpful if you happen to be locked out of an account that cannot send forgotten password e-mails, such as host or admin in DotNetNuke.

Posted by Mitchel on Sunday, February 11, 2007

Tags: DotNetNuke, ASP.NET, .NET 2.0

Comments

Wow, thank you so much for this article. You saved my website.

Thanks,
Pat

By plee on Wednesday, February 28, 2007 at 1:27 AM

Me to, you saved my life!!

Thanks

Rick

By Rick on Wednesday, February 28, 2007 at 5:03 PM

You are the man! -- I moved my website from local machine to dev environment and found that could not log into host and admin account... you saved me.

By med_tester on Monday, April 02, 2007 at 1:24 PM

Greetings:

Sadly...I'm in this situation. However, my site is a DNN v3.3.7 site running the 1.1 framework (SQL Server backend). Will this procedure work on it as well?

Thanks in advance for any guidance/advice.

Ed in Tampa

By Ed in Tampa on Wednesday, June 27, 2007 at 7:24 AM

Ed,

I don't have my 3.x installation in front of me, but I believe the process is pretty close to the same. You will simply want to sanity check to ensure that all tables and procedures exist

By mitchel.sellers@gmail.com on Wednesday, June 27, 2007 at 1:38 PM

Comments from the following blog entry: Change Admin Passwords in ASP.NET Application, located at: http://www.dotnetkicks.com/aspnet/Change_Admin_Passwords_in_ASP_NET_Application

By DotNetKicks.com on Wednesday, January 16, 2008 at 6:23 PM

I tried this and got this....
Msg 208, Level 16, State 1, Line 1
Invalid object name 'aspnet_membership'.

What am I doing wrong?

By kimberly on Monday, April 07, 2008 at 10:35 AM

If you have an object qualifier supplied in your DNN installation, you will need to add that before the name of the table...

By mitchel.sellers@gmail.com on Tuesday, April 08, 2008 at 4:50 AM

The enclosed avoids the need for the clipboard:

ALTER PROCEDURE dbo.sp_UserPassword_Reset
(
@SourceUserName nvarchar(256),
@TargetUserName nvarchar(256)
)
--Sets the password for the Target User to the password of the Source User
AS

Declare @ApplicationName nvarchar(256)
Declare @NewPassword nvarchar(128)
Declare @PasswordSalt nvarchar(128)
Declare @PasswordFormat int
DECLARE @changeDate datetime

set @changeDate = getdate()
Set @ApplicationName=N'itrco'

SELECT @NewPassword = password, @PasswordFormat= passwordformat, @PasswordSalt= passwordsalt
FROM aspnet_membership am
INNER JOIN aspnet_users au
ON (au.userid = am.userid)
INNER JOIN aspnet_applications aa
ON (au.applicationId = aa.applicationid)
WHERE au.username = @SourceUserName
AND aa.applicationname = @ApplicationName

exec aspnet_Membership_setPassword @ApplicationName,
@TargetUserName,
@NewPassword ,
@PasswordSalt,
@changeDate,
@PasswordFormat

RETURN

By ARL on Wednesday, November 05, 2008 at 12:15 PM

Click here to post a comment

RSS Feeds/Syndication

Subscribe To Blog RSS
Subscribe To Blog Updates by E-Mail
Add blog to Technorati Favorites

Donate

Show your appreciation for the content/modules made available by MitchelSellers.com by making a donation. Donations are used to assist with dedicating time to creating free content.