Can I configure the ResetPassword in Asp.Net's MembershipProvider?

Question

I have an C# asp.net app using the default Sql MembershipProvider. My web.config has a few settings that control how I'm using this Provider:

enablePasswordRetrieval="false" 
enablePasswordReset="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" 
minRequiredPasswordLength="5" 

The problem I'm running into is that when people reset their passwords, it seems the ResetPassword() method returns a password that is longer than I want and has characters that can be confusing (l,1,i,I,0,O). Furthermore, I'm sending my users an email with a plain-text message and an HTML message (I'm using MailMessage with AlternateViews). If the password has unsafe HTML characters in it, when the email clients render the HTML text the password might be different (e.g. the %, &, and < aren't exactly HTML safe).

I've looked over the "add" element that belongs in the web.config, but I don't see any extra configuration properties to only include certain characters in the ResetPassword() method and to limit the password length.

Can I configure the ResetPassword() method to limit the password length and limit the character set it is choosing from?

Right now I have a workaround: I call ResetPassword() to make sure the supplied answer is correct, and then I use a RandomPassword generator I downloaded off the internet to generate a password that I like (without ambiguous characters, HTML safe, and only 8 characters long) and then I call ChangePassword() to change the user's password after I've already reset it.

My workaround seems kludgy and I thought it would be better to configure ResetPassword() to do what I want.

Thank you~!

ColoradoTechie

Answer 1

I know this has already been answered but I wanted to add my 2 cents since I came across this issue today.

The SQLMembershipProvider class exposes

public virtual string GeneratePassword()

which is called by ResetPassword. Therefore you can simply extend the SQLMembershipProvider class and implement your own version of GeneratePassword.

Note that doing so will require you to update the membership provider entry in your web.config to use your new membership provider class:

<membership>
  <providers>
    <add type="My.Namespace.MyCustomSqlMembershipProvider" ... />        

Answer 2

Using the GeneratePassword method ensures at least that the created password fulfills your setup for MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters. I am doing something like this:

// aUser is of class MembershipUser
string aTempPassword = aUser.ResetPassword();
string aNewPassword = Membership.GeneratePassword(
                           Membership.MinRequiredPasswordLength, 
                           Membership.MinRequiredNonAlphanumericCharacters);
aUser.ChangePassword(aTempPassword, aNewPassword);

Well, that's only 50% of what you want since you cannot control the character set used for the final password.

(Actually that's also from my viewpoint the more important aspect - especially if you have users who need 10 minutes and 3 support calls to hit the key combination of a curled bracket successfully and don't have a clue what a clipboard is. ResetPassword can make you one of the most hated persons.)

Answer 3

I don't believe you can do anything to "configure" the ResetPassword() call. You could write your own provider that changes how the ResetPassword() works.

This link describes the same tactic you seem to be doing already....

Staying with your work around/hack may be the simplest way to go. :-)

However, if you want to learn more on how to create your own provider check out these links.

http://www.asp.net/learn/videos/video-189.aspx

http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

http://www.devx.com/asp/Article/29256/0/page/3

http://www.15seconds.com/issue/050216.htm