Are you positive you are using the same machine key as you had before? You may want to restore your backup to a new IIS website and a new database, then see if you can login to this restored site. If so, check your machine key and if it is different than what you have in your current website's web.config, copy it over.

HTH,
Joe D.

The ideal solution is to get a copy of the site working as it was before the upgrade and then change to cleartext passwords then do a query to join the new db with the old copy and get the original password and put it in the new db in the pwd field of mp_Users and set the password format field in mp_Sites as cleat text (0 I think). Then finally generate a new machine key and change back to encrypted from site settings so it will encrypt the clear text passwords again with the latest encryption and machine key.

It is extremely important to use a custom machine key, if someone knows your machine key they can easily hack your site no matter what password format you are using. This is why we added security advisor.

Note that somewhere along the way we changed the encrypted passwords to use a stronger encryption with salt and to do that we migrated password to the newer pwd field which is large enough for the stronger encryption. I don't know if this was before or after your previous version.

Even if you decide to reset the passwords then you should first change the password format field in mp_Sites to clear text, you could then run a query to make the new password something like the email + changeme, there is also a new flag to MustChangePassword on mp_Users. There is no way to generate encrypted password with just sql so you must first reset to plain text passwords and then change to encrypted from site settings so .NET code can generate the encrpyted versions and salt.

Then I guess you could email or tell your users to recover their passwords with password recovery and after the y login change it to a new password.

Hope that helps,

Joe

Ok, here is step by step a way to accomplish it.

1. backup the db again for good measure
2. make sure that email is configured and that you can receive the password recovery email
3. Run this query to set the password format to clear text
   UPDATE mp_Sites SET PasswordFormat = 0
4. Run this query to reset all users to semi random new password
   UPDATE mp_Users Set Pwd = (SELECT SUBSTRING(CONVERT(varchar(36), newid()), 0,9))
5. Touch web.config to clear the site settings cache otherwise it still thinks it is using encrypted
6. recover your own password and verify that you can login
7. Use the Security Advisor page to generate a new machine key and replace the one in web.config with the new one.
8. Go to site settings and change the password format back to encrypted and wait a few minutes, do not touch web.config or do anything that might recycle the app as it will interupt it from processing the passwords.
9. verify in the db that the pwd filed looks encrypted and the passwordsalt field is populated in the mp_Users table
10. logout and verify that you can login again
11. Go to Administration > Newsletters and create a newsletter that will be used to inform the users of the password reset and need to use password recovery. Subscribe to the newsletter and send a test and make sure you receive it. Then click to view the subscribers and click the button to add the remaining site users as subscribers.
12. Create and send a newsletter explaining that passwords were all reset and provide a link to the password recovery page.

Optionally after step 4 you could do UPDATE mp_Users SET MustChangePwd = 1

this would force users to change to a new password after they do login.

Hope that helps,

Joe

no, if you want to use hashed that is fine. I assumed you were already using encrypted because encrypted depends on the machine key. hashed does not depend on the machine key so I don't know why login was failing. hashed is the most secure because it cannot be decrypted. with hashed you can reset the password but not recover it.

doesn't make sense, if you did steps 3, 4, 5 then it should say clear text not hashed. maybe you missed step 5

because machine key is used for cookies, after you change it you will have to login again to get a new cookie, changing it should log you out

as I said previously

test the newsletter first by sending one edition to yourself as the only subscriber.

then you can subscribe all site members to it by clicking a button.

then when you send it it will go to all site members email addresses

the user who receives the mail can click the unsubscribe link but they will have received this message

keep in mind that the site members did not choose to subscribe to the newsletter so you could either delete the newsletter or unsubscribe everyone after the message has been sent or make your own decision whether you want to keep the newsletter around after that.

usually newsletter is a marketing tool but in this case it isn't really a marketing message that you are sending out, this is just using it because it is a convenient way to email all site member email addresses.