I'm using the change password feature of the standard AspNetSqlMembershipProvider in my ASP.NET MVC-2 app:
MembershipUser user = Membership.GetUser(userId);
string pwd = user.ResetPassword();
if (user.ChangePassword(pwd, confirmPassword))
{
// it worked
}
And this works for the vast majority of users, but there are a couple of users that can not change their passwords - user.ChangePassword()
just returns false.
I've tried it myself to see what was going on, and entered a simple password 12345678 for that user and it failed to change.
So it's not because they are entering passwords that do not match the password rules. My web.config has the membership provider defined like so:
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MembershipDatabaseConnectionString" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
Its just the normal definition of AspNetSqlMembershipProvider, there's nothing fancy here.
Why would one user (me) be able to change their password to be 12345678, but another user can not change their password to be 12345678? This other user can not change their password to anything at all.