I have been searching blogs and articles for ASP.NET password recovery systems for a while. Almost all resources about this topic suggest that a standard password recovery control comes with ASP.NET 2.0. However, the password recovery control has some limitations. Of course it works without any problems, but some developers want more options. In this article, we will talk about writing our own password recovery system. For example, we don't want to send password to a user's email address directly. We may want to send a link instead of a clean password, for security reasons. This link redirects a user to a change password page without asking the old password.
As you know, the ASP.NET 2.0 password recovery control asks for the username first; then if the user name exists in the membership database, the user receives a clean password. If you are using hashed passwords in your membership database, retrieving an old password is impossible since passwords are one-way hashed. However, if you make the following changes in the web.config file:
you can use the standard password recovery control with hashed passwords. However, in this case, when a user wants to recover the password, first the old password will be reset, and then a random password will be generated and sent to the user's e-mail account. It will be a totally meaningless, hard to remember password, so users will have to go to their account page to change their new password. To make it more secure, if a user forgets his/her password, sending a password change link to the user's email account instead of a new password would be a better option.
I am going to skip steps like creating a mail body that includes a specific link and sending it to the user. These steps can be done in several ways. For example, in the password recovery page, we can ask a user to type the e-mail address, and with this email address, we can grab the user ID from the membership database. With this user ID, we can create a link such as http://www.nameofwebsite.com/passwordreset.aspx?userid=5e51d1fd-f8c8-431d-9b28-3db61e2dsfsfsfsfs0f30f and send it to the user's email.
After this step, we are going to create a password reset page. In this page, we drag and drop:
DetailsView control will be invisible, because we want to use it to grab the user name from the user ID. We are going to use the
SqlDataSource to bind
DetailsView to the membership database. Our textboxes are for typing the new password. We use two different textboxes because the second one is for re-typing the new password. Our button is the 'Change Password' button.
First, I will start with the ASPX page, and then I will explain the .cs (code-behind) file.
In the .aspx page, we are going to create a
DetailsView control and set its
Visible property to False. Drag and drop a
SqlDataSource and connect it to the membership database. In the
SELECT statement, we select the username and user ID from the Users table. Set the
QueryStringParameter to userid.
<asp:DetailsView ID="DetailsView1" runat="server" AutoGenerateRows="False"
DataSourceID="SqlDataSource1" DefaultMode="Edit" Height="50px"
<asp:BoundField DataField="userid" HeaderText="UserId"
<asp:TemplateField HeaderText="username" SortExpression="username">
<asp:TextBox ID="TextBox1" runat="server"
<asp:TextBox ID="TextBox1" runat="server"
This way, with a link that includes the user ID, we can grab the username for the user ID. We need the user name in order to make the password changes in the membership table.
In the .cs file, we grab this user name from the
DetailsView control. With this user name, we are going to reset the old hashed password and insert a new one into the membership database.
protected void Button1_Click(object sender, EventArgs e)
if (TextBox2.Text == TextBox3.Text)
TextBox UserName1 = new TextBox();
UserName1 = (TextBox)DetailsView1.FindControl("TextBox1");
string un = UserName1.Text;
MembershipUser user = Membership.GetUser(un);
string oldpswd = user.ResetPassword();
string newpass = TextBox2.Text;
Label2.Text = "Your Password has been changed";
Label2.Text = "Retype your Password";
At the end of these steps, we will have stored the new password in hashed format. By using
Response.Redirect("login.aspx");, the user will be redirected to the login page.