Confusion about Password Recovery

N

news.sbcglobal.net

If I understand correctly, by default, ASP.NET 2.0 hashes the user password
and this hashed password is unintelligible to the user (and unusable) when
it is sent by the Password Recovery control. By default, this control
resets the user's password to something random but I've never been able to
figure out how that is useful. I can't tell (by looking at the database)
what the new password is and the user certainly doesn't know what it is.
This makes no sense to me (from a usability perspective) so I'm sure I must
be missing something.

My question is, how does the user know what his/her password has been reset
to? I would prefer to send the user their password by email which means
that I have to change the way it is stored in the database and change my
site configuration to do this.

Does anyone have a link to a useful resource to help with this?

Thanks!
 
P

PeterKellner

It's the design of the PasswordRecovery control that I'm questioning. This
control's default behavior out of the box results in the password being
changed to something neither the user nor the site administrator knows.
Bottom line, the user can never log in again (without creating a new
account) and the site admin can't do anything to assist other than delete
the user's original account.
Click to expand...

From what you say here, I think you are confusing what is happening.
The password sent to the user is not encrypted. It is just randomized
so you can login with it. The idea is so you can log in and
immediately change the password to something better.

If you don't want to send the password around email, you could always
use password question and answer to let them reset their password.

Hope this helps.
Peter Kellner
http://peterkellner.net
 
N

news.sbcglobal.net

You're right...I just took a look at the password that was sent and assumed
that the hashed password had been sent (which cannot be used to login). If
I'd looked closer I would have seen it wasn't what I thought.

Thanks for pointing this out to me...now it makes sense to me.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Another Password Confirmation 2
password recovery control 1
password recovery 0
Password recovery 1.1 1
Regular Expression Use in Password Recovery Control 0
Password Recovery Email Encrypted 1
Membership security. Forcing a Password Recovery/Reset? 1
How to effectively develop a web application from scratch? 0

Members online

Total: 30 (members: 3, guests: 27)
Robots: 407

Forum statistics

Threads
473,770
Messages
2,569,584
Members
45,075
Latest member
MakersCBDBloodSupport

Latest Threads

Top