How should I implement "Forgot your password" in ASP.NET MVC?

Question

I'm using the standard SqlMembershipProvider that comes with the ASP.NET MVC demo.

I'm interested in implementing a "Forgot your password" link on my site.

What is the correct way for this feature to be implemented? Should I overwrite the password with a temporary one and email it to their registered email?

Answer 1

The provider will automatically do the reset for you:

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx

The sample just returns the new password to the browser instead of emailing the user but uses the secret question / answer that can be configured with the provider.

This sample gets the password and emails it:

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx

I think either approach is safe. The email it step is a bit safer since the user will have to know the question/answer and email password to hack an account.

I realize these samples are not using MVC but I am sure it's enough to get you going. :)

Answer 2

Based on the nature of the application, the Best practice for the forgot password should be in following order

1. Allow the user to verify the Secret/Question for a maximum of 3 to 5 attempts
2. On successful validation, Send an e-mail with random generated password with a validity of 24hrs.
3. The e-mail must contain only the password but not both username/password.
4. When user logs in with temporary password, then user must be forced to create a new password before going to home page.

Thanks