Password generator

Vote:
 
Hi. Since EPiServer i practically locking down all access to the user's passwords (best practice), it would be nice if you could provide us with a sample for generation passwords, typically for users who "forgot their password". Perhaps also enable access to this feature from user admin, instead of having admin users enter this manually? Also see http://www.episerver.com/templates/ForumItem____3535.aspx for more discussion on this subject. Frank :)
#18722
Mar 25, 2008 19:45
Vote:
 
I've got a alternative solution that I like better than generating new passwords for users, maybe it has some drawbacks that I haven't been thinking about. Here goes.. 1. Generate a new strong token using RNGCryptoServiceProvider().GetBytes and store a Base64 version(string) in PersonalizedData using Load/Save methods for the username which a new password is desired. 2. Send a mail to the user (e-mail stored in PersonalizedData) with a link back to the site where both the token and user name is in the querystring. 3. When the user hits the link you match the token in the querystring with the data in PersonalizedData to validate that the user is authorized to change the password. 4. Let the user change password and then delete the token in the PersonalizedData object (set it to null). This approach has some advantages: 1. We don't have to automatically generate pseudo-readable passwords (which the user wants to change anyway). 2. Other users can't change passwords for other users, the mail may contain a statement like "If you don't want to change your password, please ignore this mail".
#18954
Mar 25, 2008 19:45
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.