Changing passwords in ASP.NET 2.0 applications from the database

At one time or another, I think everyone has been locked out of a system and not been able to get back in. This can be especially troubling if you happen to be locked out of your administrator account. I have seen many people asking how to reset passwords for the host and admin accounts with DotNetNuke so I thought I would write up some simple instructions on how to change a password via the database for any ASP.NET 2.0 website.

The first thing to note is that you must know the working password of another account on your site. For this example I know the password of my "admin" account for DotNetNuke, you can use any account in your system that you know the password for. Once you have identified the user account, run the following query to obtain the needed user information. You will need to know the username and application name for the specific user account. In my example below the username is admin and the application name is DotNetNuke.

SELECT password, passwordformat, passwordsalt
FROM aspnet_membership am
    INNER JOIN aspnet_users au
        ON (au.userid = am.userid)
    INNER JOIN aspnet_applications aa
        ON (au.applicationId = aa.applicationid)
WHERE au.username = 'admin'
    AND aa.applicationname = 'DotNetNuke'

You will want to copy the results of this query to your clipboard as you will need this information for the next step of the process. Next, we will be using the ASP.NET stored procedure "aspnet_Membership_setPassword" to set the password value for our user. When calling this stored procedure we must pass the following values to it. ApplicationName, Username, Password, PasswordSalt, ChangeTime, passwordFormat. Below is an example, you will simply need to substitute your values.

--Prepare the change date
DECLARE @changeDate datetime
set @changeDate = getdate()

--set the password
exec aspnet_Membership_setPassword 'DotNetNuke', 
                        'TestUser', 
                        'DM1tZvBjM+27Eck5eI1TWFeG42XuJnMuin3jqFOtMjS83RN6d7dFbQ==', 
                        '4e5Bb5jOOMYu/JFXVdRmlA==',
                        @changeDate, 
                        2

--Sets the password to dnnadmin

After running this script you should now be able to login with the newly set password. A few things to remember about this method. First to guarantee that this will work correctly the known user account information must be taken from the same application as the machine and validation keys change the encryption methods used for setting the passwords. Also, you should remember that this method will work with ANY ASP.NET 2.0 website. This can be very helpful if you happen to be locked out of an account that cannot send forgotten password e-mails, such as host or admin in DotNetNuke.