Recovering a User s Forgotten Password

Recovering a User's Forgotten Password

With the plethora of user accounts most people have these days, remembering all your different passwords can be difficult. To help those who have forgotten their password, sites that support user accounts typically include a way for users to retrieve their passwords. ASP.NET contains a PasswordRecovery Web control designed to help with this process. The PasswordRecovery control is a three-step wizard control that progresses through the following stages:

After the user completes these stages, the PasswordRecovery control sends the following email message:

Please return to the site and log in using the following information. User Name: Username Password: Password 

You can send a more customized email message by creating a file and setting the PasswordRecovery control's MailDefinition property, just like with the CreateUserWizard control. For more on sending emails, refer to this hour's "Configuring a Website's SMTP Settings" and "Emailing Users a Message After Creating Their Accounts" sections.

If you try out the PasswordRecovery control on a page, you'll find that the password you are sent is a new, randomly generated password, and not the password you created the account with. The reason is that, by default, the ASP.NET user account system does not store the users' passwords in a plain-text format. Rather, it uses a one-way hash of the passwords.

Without getting into the technical details, a one-way hash is a function that takes in an input and modifies it in such a way that it is mathematically impossible to take the result and deduce the initial input. Because the database stores the hashed results of the passwords, rather than the plain-text, even if the database is compromised, the intruder will not be able to determine the plain-text passwords from the hashed versions.

At this point you may be wondering how, exactly, the system authenticates a user. If the database doesn't contain the user's plain-text password, but just a one-way hash of the password, how can we determine whether a user has provided valid credentials? The system takes the plain-text password sent by the user when providing his credentials and hashes it, and then compares the hashed results of the user's supplied password with the hashed value stored in the database. If they match up, the user is assumed to be valid.

Because there is no way to take the hashed version stored in the database and convert it back into the plain-text form, the PasswordRecovery control has no option but to give the user a new, random password. The ASP.NET user account system can be configured to support plain-text passwords, however, in which case the PasswordRecovery control will email the user her plain-text password. A thorough discussion on configuring the system to allow for plain-text passwords is beyond the scope of this book. For more information, consult the "How To: Use Membership in ASP.NET 2.0" documentation at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000022.asp.