Reputation: 676
I currently run a MVC2 website using the default Membership provider. Everything works great, but now I find the needs for forgot password functionality.
After some googling the only good implementations I can find are based around having using the machine key for security or the question and answer functionality.
The problems with those implementations is I already have a rather large userbase. I cannot swap my passwords to machine key now as I am using a hash system already.
passwordFormat="Hashed"
I also do not want to force existing users to add a question and answer after the fact. Question and answer is also less ideal as if they forget that info as well they are out of luck.
My ideal implementation is a user would click forgot password, enter their username or email(ideally email). They would then receive an email with either their current password(I believe this is impossible with the hash method I am using), a new randomized password they are told to change, or a link with a token that lets them reset the password once clicking it.
Are there any good guides out there for doing this quickly? Everything I can find either relates to using a machine key method or question and answer. I'm quite surprised I couldn't find anything as this is very common web functionality. I was surprised it's not even a part of the default membership provider that MVC comes with.
I realize the token is the most secure followed by the randomized password, but for now I'm pretty open to any of those 3 scenarios.
If you need any more info please let me know.
Upvotes: 0
Views: 1332
Reputation: 5799
Sending the user an email to change their password is a good solution, if the user's email address is already linked to his/her account somehow. It would be ideal of the your User Names are required to be email addresses. Here is how I would do it
With this approach you won't have to email them a password, you are essentially making a feature that allows the user to change his/her password.
Upvotes: 2