12.7. Custom Password Generation

If you use the password reset feature of SqlMembershipProvider, then you will be depending on the default behavior the provider supplies for automatically generating passwords. The default behavior uses the Membership.GeneratePassword method to create a password that conforms to the configured password strength requirements. These are defined by the provider's minRequiredPasswordLength and minRequiredNonAlphanumericCharacters configuration attributes. Note that even if you set the minRequiredNonAlphanumericCharacters attribute to zero, it is likely that the auto-generated password will still contain nonalphanumeric characters.

The internal implementation of Membership.GeneratePassword randomly selects password characters from a predefined set of nonalphanumeric characters as well as the standard set of uppercase and lowercase alphanumeric characters and numbers. As a result the GeneratePassword method only guarantees that there are at least as many nonalphanumeric characters as required by the minRequiredNonAlphanumericCharacters. The method does not guarantee creating exactly as many nonalphanumeric characters as specified in the configuration attribute; instead, it is likely that GeneratePassword will generate a few more nonalphanumeric characters than specified by minRequiredNonAlphanumericCharacters.

If you don't want this behavior, or if you have your own requirements and algorithm for creating random passwords, you can choose to override ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.