PasswordRecovery and clear password sent to users

[Ghistos]

Hi,

I collect hashed password in my BD. I give the opportunity to the user to
reset his password with the PasswordRecovery control. But, when he receive it
, it is a series fo strange characters like that ")(i5oA8&YPZB>Y"

How can I modify my webConfig to send human readable new password.

Tks

 

[Munna]

Hi,

As you know Asp.Net 2.0 password recovery control asks username first;
then if the user name exists in membership database the user receives
a clean password. If you are using hashed passwords in your membership
database, retrieving an old password is impossible since passwords are
one-way hashed. However if you make the following changes in
web.config file;

Passwordformat=”hashed”
Passwordreset=”true”
Passwordretriaval=”false”

reference :

http://www.codeproject.com/KB/aspnet/Password_Recovery.aspx


best of luck

Munna

 

[Ghistos]

Hi Munna. I checked your link to code project and this is waht the guy said :

you can use standard password recovery control with hashed passwords.
However, in this case when a user wants to recover the password, first the
old password will be reset, then a random password will be generated and sent
to user’s e-mail account. It will be a totally meaningless, hard to remember
password so users will have to go to their account page to change their new
password.

This is exactly my problem !!! My users seems not very cumfortable with
meaningless, hard to remember password. So, there is no solution except to
create a new control!!!

 

[Jeff Dillon]

Hi Munna. I checked your link to code project and this is waht the guy
said :

you can use standard password recovery control with hashed passwords.
However, in this case when a user wants to recover the password, first the
old password will be reset, then a random password will be generated and
sent
to user's e-mail account. It will be a totally meaningless, hard to
remember
password so users will have to go to their account page to change their
new
password.

This is exactly my problem !!! My users seems not very cumfortable with
meaningless, hard to remember password. So, there is no solution except to
create a new control!!!

The point is to encourage the users to change their password. Of course they
should not be comfortable with hard to remember passwords.

 

[JackPot]

But on the other hand, yes, we should be telling the person to use the newly
generated strong password to login and then change that password --but-- if
they are using an application like a Password Minder they will be using a
strong password that password manager generated or they will just edit their
password in the password manager to use the newly generated strong password
sent to them. Either way, once the strong password has been returned to them
it is a waste of time to keep worrying about them.