Override ASP.NET Membership Password Generation rules

I am a real fan of the ASP.NET Membership system as a way to deliver a basic account management and log in mechanism to a web application.  I have used it in both ASP.NET and ASP.NET MVC applications, using both SQL and Active Directory as the backing identity store.

One nuance of the Membership provider when using SQL is how it generates new passwords when the user requests their password be reset.  By default, the generated password is a whopping 14 characters in length, with no clear way to adjust the format.  (The MSDN page for SqlMembershipProvider.ResetPassword describes this behavior.)

Thankfully, it is fairly easy to create a new MembershipProvider and override the GeneratePassword method with your own rules.

First, we’ll create a new class that inherits SqlMembershipProvider.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace MyNamespace
public class MyMembershipProvider:System.Web.Security.SqlMembershipProvider

public MyMembershipProvider()
: base()
{ }


Then we’ll override the GeneratePassword() method to use our own rules for creating a new password value.  In this case we assemble an 8 character string of upper and lower case letters, numbers, and a few symbols.

public override string GeneratePassword()
    string newRandomPassword = string.Empty;
    int passwordLength = 8;
    Random random = new Random();

    while (newRandomPassword.Length != passwordLength )
        int randomNumber = random.Next(48, 122);
        if (randomNumber != 95 && randomNumber != 96)
            newRandomPassword += Convert.ToChar(randomNumber);

    return newRandomPassword;

Next, we need to update the web.config file to define our new class as a provider for the Membership system.

<membership defaultProvider="MySqlProvider">
<add name="MySqlProvider" type="MyNamespace.MyMembershipProvider" connectionStringName="MyConnectionString" applicationName="My Application" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" maxInvalidPasswordAttempts="1000" passwordAttemptWindow="5" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" />



Finally, we tell the included PasswordRecovery control to use our provider class, using the name specified in the web.config entry.

<asp:PasswordRecovery ID="PasswordRecoveryControl" runat="server" Width="385px" UserNameLabelText="" OnSendingMail="PasswordRecoveryControl_SendingMail" MembershipProvider="MySqlProvider"
OnUserLookupError="ShowPasswordRecoveryError" UserNameInstructionText="Enter your Email Address to receive your password">

This is a great testimony to the Provider pattern as a way to quickly reconfigure a system.






2 responses to “Override ASP.NET Membership Password Generation rules”

  1. Steve Avatar

    Hey thanks…..nicely done! Helped me out. Exactly what my users were asking for. LoL. A more simplified scrambled password that is emailed to them. I didn’t exactly want to do it but I had to. Thanks.

  2. Gman Avatar

    Perfect! This helped me generate passwords that didn’t break our validation rules

Leave a Reply