views:

1661

answers:

7

When a user on our site looses his password and heads off to the Lost Password page we need to give him a new temporary password. I don't really mind how random this is, or if it matches all the "needed" strong password rules, all I want to do is give them a password that they can change later.

The application is a Web application written in C#. so I was thinking of being mean and going for the easy route of using part of a Guid. i.e.

Guid.NewGuid().ToString("d").Substring(1,8)

Suggesstions? thoughts?

+4  A: 

This is a lot larger, but I think it looks a little more comprehensive: http://www.obviex.com/Samples/Password.aspx

Geoffrey Chetwood
It turns out that there is support for this by the framework. So I am accepting that answer rather!
FryHard
A: 

I would say that method is as good as any other. It's short and does the job. There's an extremely low chance of a duplicate (substrings of GUIDs are not guaranteed to be unique) so maybe you want to start from somewhere in the middle instead of the beginning. You may also want to remove the dashes from the string with ToString("N").

John Sheehan
Just give them a complete GUID -- they forgot their password, so make them type in "{92233c28-5cd4-4100-b6d9-3471256ce1ca}" a few times!
Danimal
I have to admit that I have been close doing this many times. Punishment will prevent them from looking the password in future. ;)
FryHard
+15  A: 
public string CreatePassword(int length)
        {
            string valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
            string res = "";
            Random rnd = new Random();
            while (0 < length--)
                res += valid[rnd.Next(valid.Length)];
            return res;
        }

This has a good benefit of being able to choose from a list of available characters for the generated password (ie. digits only, only uppercase or only lowercase etc.)

Radu094
this method (base 62) is superior than the GUID(base 16) on strength: an 8-char hex string is equivalent to a 4-5 char alphanumeric one
Jimmy
+5  A: 

For this sort of password, I tend to use a system that's likely to generate more easily "used" passwords. Short, often made up of pronouncable fragments and a few numbers, and with no intercharacter ambiguity (is that a 0 or an O? A 1 or an I?). Something like

string[] words = { 'bur', 'ler', 'meh', 'ree' };
string word = "";

Random rnd = new Random();
for (i = 0; i < 3; i++)
   word += words[rnd.Next(words.length)]

int numbCount = rnd.Next(4);
for (i = 0; i < numbCount; i++)
  word += (2 + rnd.Next(7)).ToString();

return word;

(Typed right into the browser, so use only as guidelines. Also, add more words).

Adam Wright
+1  A: 

I like to look at generating passwords, just like generating software keys. You should choose from an array of characters that follow a good practice. Take what @Radu094 answered with and modify it to follow good practice. Don't put every single letter in the character array. Some letters are harder to say or understand over the phone.

You should also consider using a checksum on the password that was generated to make sure that it was generated by you. A good way of accomplishing this is to use the LUHN algorithm.

Dale Ragan
A: 

Awesome! Knew you guys could help. I made use of @Rich B suggestion, but have removed the unwanted special characters since they are probably a little hectic for my user base!

Thanks for the help!

FryHard
Can you mark me as the solution? I could sure use the points!
Geoffrey Chetwood
Done, Internet on this side of the world is SLOW!
FryHard
+32  A: 

there's always System.Web.Security.Membership.GeneratePassword(int length, int numberOfNonAlphanumericCharacters)

Rik
Didn't know that the Framework has such a method! Awesome! Will swap out my current code for this!
FryHard
I found it after spending almost a day perfecting my own pw gen code. Image how I felt ;)
Rik
AFAIK this method does not generate a password complying to a password policy on the domain so it's not suitable for every usage.
teebot.be