.NET C# Reset Password - Random!

Question

I have done the usual Google searches and I think I am correct in saying there is no random password generator in the .NET Framework. The intentions are to reset passwords in AD for forgetful users.

This is bound to be an issue in the next stage of penetration testing. I want to avoid the response "oh yeah, I just knocked up my own generator thingy".

What are the recommendations? Surely I cannot rely on the .NET Random class and an array of characters.

Cheers.

Answer 1

If you really want true randomness you should use the RNGCryptoServiceProvider class instead of Random for such tasks. Here's an example of how to create a random password in .NET.

Answer 2

Here's a function to generate simple-to-remember passwords. May be useful for resetting the password, or creating initial passwords, instead of asking the user to type it during registration.

    // Creates fairly easy-to-remember random passwords, consisting of 
    // three syllables (consonnant + vowel) and two digits at the end.
    // A total of 172'800'000 combinations is possible.
    public static string GeneratePassword()
    {
        const string consonnants = "bcdfghjklmnpqrstvwxz";
        const string vowels = "aeiouy";

        string password = "";
        byte[] bytes = new byte[4];
        var rnd = new RNGCryptoServiceProvider();
        for (int i=0; i<3; i++)
        {
            rnd.GetNonZeroBytes(bytes);
            password += consonnants[bytes[0]*bytes[1] % consonnants.Length];
            password += vowels     [bytes[2]*bytes[3] % vowels.Length];
        }

        rnd.GetBytes(bytes);
        password += (bytes[0] % 10).ToString() + (bytes[1] % 10).ToString();
        return password;
    }

This yields passwords like those:

bavara11
baqovi84
namana07
cyluha55
vobana18
qanabi05
bukinu09
gapupa29

P.S. Those are probably not the most secure passwords in the world, but I BET, those are much stronger than the average of what people use on the internet.

Answer 3

While you should not rely on the Random for anything that relates to security, you should be fine using the RNGCryptoServiceProvider to generate the random data needed for building new passwords.

Also, there actually is a method in the BCL for generating random passwords, but its hidden away in the System.Web assembly. The static method Membership.GeneratePassword can generate passwords of length specified by the caller.

The GeneratePassword method is used to generate a random password and is most commonly used by the ResetPassword method implemented by a membership provider to reset the password for a user to a new, temporary password.

The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password.

The documentation does not seem to contain any information regarding how the password is created, but the source code is available for you to have a look.