Problem when password resetting in ASP.NET

Question

I am developing an app which I should design a page for users who forget passwords and send email to them the new passwords. I am using ASP.NET Membership and password format should be hashed.

My problem is when sending mail has been failed, password has been changed and wow! no work can be done.

what is your solution?

Robert Koritnik · Accepted Answer · 2009-07-21T22:52:19.283

1

You should send users an email with a link, where they can confirm password reset (otherwise you could reset passwords to other users by guessing their emails). On the linked page users would then confirm password reset (or even change it themselves).

But it's a better practice not to send passwords in any way shape or form. It's the most secure.

The process

Users request password reset by their email.
They receive an email with a link
Theyclick the link and provide a new password that gets hashed right away and stored in the system.

edited Jul 21 '09 at 22:52

answered Jul 21 '09 at 16:53

Robert Koritnik

103,639
52
277
404

great! but can I hashed the password the way ASP.NET does, I mean can I store it directly to the Users table. – Hossein Margani Jul 21 '09 at 17:08
You could call Membership.UpdateUser and set new password. – Robert Koritnik Jul 21 '09 at 17:35

score 1 · Answer 2 · edited Feb 08 '17 at 14:13

1

You could temporarily set the passwordFormat value for affected users to "Clear" in the aspnet_Membership table, assign them a password, and then work on getting the e-mail working.

Setting the aspnet_Membership.passwordFormat value to 0 changes the format to Clear text, which means it's not encrypted. It's not secure, but will allow login. After that, you can reset the password and it'll be changed back to 2 (Encrypted).

alt text

edited Feb 08 '17 at 14:13

Community

1
1

answered Jul 21 '09 at 16:53

Jon Galloway

52,327
25
125
193

this is a good solution, but I am not sure it works or not? Are you sure? – Hossein Margani Jul 21 '09 at 17:06

score 0 · Answer 3 · answered Jul 21 '09 at 16:46

0

The user should change their password again, and hopefully the email will succeed.

If they entered an incorrect address, they should contact an administrator who can correct their email address.

answered Jul 21 '09 at 16:46

JoshJordan

12,676
10
53
63

score 0 · Answer 4 · answered Jul 21 '09 at 16:49

If it is possible to tell if an e-mail is successfully sent before you actually commit the change to the database this would be a good option. This isn't always the case, but maybe it could work for your application.

Usually with my experience ASP will thrown an exception if the e-mail fails. If this happens don't do anything in the DB, if the mail goes through then change the password. That doesn't mean they will get the e-mail but you can't account for problems during travel of the e-mail anyway. The option above would apply after this fails. ;)

it's a good solution but the User sees two email one for test and one for he passord, and this is not good. — Hossein Margani, Jul 21 '09 at 17:00

score 0 · Answer 5 · answered Jul 21 '09 at 16:50

0

I don't know the support for such a feature in asp.net.

But, some website send you an email with a link to click (that expires in some days). Clicking which, will make sure you are committing to that action (i.e. password is changed only after they receive email & click the link they received).

answered Jul 21 '09 at 16:50

shahkalpesh

33,172
3
63
88

you mean I should have a table to store a random value for the user to check that the user was that user that i sent that email? – Hossein Margani Jul 21 '09 at 17:01

score 0 · Answer 6 · answered Jul 21 '09 at 16:50

0

ASP.NET also supports the question and secret answer approach to password recovery if email doesnt work.

answered Jul 21 '09 at 16:50

Keith

719
4
8

Problem when password resetting in ASP.NET

6 Answers6