Recovering a User's Forgotten Password

Recovering a User's Forgotten Password

With the plethora of user accounts most people have these days, remembering all your different passwords can be difficult. To help those who have forgotten their password, sites that support user accounts typically include a way for users to retrieve their passwords. ASP.NET contains a PasswordRecovery Web control designed to help with this process. The PasswordRecovery control is a three-step wizard control that progresses through the following stages:

The user is asked for his username.

The user's security question is displayed, prompting the visitor for the answer to the question.

After the user provides the correct answer, the password is sent via email to the user's email address.

After the user completes these stages, the PasswordRecovery control sends the following email message:

Please return to the site and log in using the following information.
User Name: Username
Password: Password

You can send a more customized email message by creating a file and setting the PasswordRecovery control's MailDefinition property, just like with the CreateUserWizard control. For more on sending emails, refer to this hour's "Configuring a Website's SMTP Settings" and "Emailing Users a Message After Creating Their Accounts" sections.

Watch Out!

Because the user is emailed her password, this process works only if you have collected the user's email address when she created her account. If the user's email address is not in the database, the user will not be able to proceed past step 2 of the password recovery workflow, regardless of whether she provides the correct answer to the security question.

If you try out the PasswordRecovery control on a page, you'll find that the password you are sent is a new, randomly generated password, and not the password you created the account with. The reason is that, by default, the ASP.NET user account system does not store the users' passwords in a plain-text format. Rather, it uses a one-way hash of the passwords.

Without getting into the technical details, a one-way hash is a function that takes in an input and modifies it in such a way that it is mathematically impossible to take the result and deduce the initial input. Because the database stores the hashed results of the passwords, rather than the plain-text, even if the database is compromised, the intruder will not be able to determine the plain-text passwords from the hashed versions.

At this point you may be wondering how, exactly, the system authenticates a user. If the database doesn't contain the user's plain-text password, but just a one-way hash of the password, how can we determine whether a user has provided valid credentials? The system takes the plain-text password sent by the user when providing his credentials and hashes it, and then compares the hashed results of the user's supplied password with the hashed value stored in the database. If they match up, the user is assumed to be valid.

By the Way

For more background on hashing algorithms, check out the August 2003 edition of MSDN Magazine's "Security Briefs" column, available online at

Because there is no way to take the hashed version stored in the database and convert it back into the plain-text form, the PasswordRecovery control has no option but to give the user a new, random password. The ASP.NET user account system can be configured to support plain-text passwords, however, in which case the PasswordRecovery control will email the user her plain-text password. A thorough discussion on configuring the system to allow for plain-text passwords is beyond the scope of this book. For more information, consult the "How To: Use Membership in ASP.NET 2.0" documentation at

By the Way

Like the other controls we examined in this and the preceding hour, the PasswordRecovery control provides a bevy of properties for customizing the appearance and behavior.

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows