Scott on Writing

Musings on technical writing...

Creating Random Passwords in ASP.NET 2.0

One of the major design goals of ASP.NET 2.0 was to identify common page developer scenarios and to provide customizable, extensible platform support.  One such area in ASP.NET 2.0 is the Membership API, which makes it a breeze to work with user accounts.  In the System.Web.Security namespace you'll find the Membership class, which is designed to “validate user credentials and manage user settings.”

One method in the Membership class is GeneratePassword(length, numberOfNonAlphanumeric), which, as it's name implies, generates a random number of length length with at least numberOfNonAlphanumeric characters that are... non-alphanumeric.  This method using a cryptographically-strong random number generator to grab a random byte array of the desired length.  It then maps these bytes to appropriate alphanumeric and non-alphanumeric characters.  Finally, it ensures that at least the numerOfNonAlphanumeric characters has been injected into the random password; if not, it hunts for alphanumeric characters and replaces them with randomly selected non-alphanumeric characters until the threshold is met.

But what if you're still using ASP.NET 1.x and you need to generate a random password?  What do you do?  Well, why not use Reflector to view the GeneratePassword() method's source code and simply port that back to ASP.NET 1.x code?  That's precisely what I did in my most recent 4Guys article, Generating Random Passwords with ASP.NET.  (In addition to looking at using GeneratePassword() the article also looks at a “quick and dirty” random password generating technique using GUIDs.)

posted on Wednesday, October 12, 2005 9:10 AM

Feedback

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 6:59 PM Milan Negovan

Scott, did you have a chance to pick up a copy of CoDe Magazine at the summit? They have a pretty darn good article by Don Kiely (http://code-magazine.com/Article.aspx?quickid=0509021) where he goes over the many ways to secure data within SQL Server 2005 with symmetric and asymmetric algorithms.

It's pretty fascinating how you can secure only one field, which---I think---will help tremendously with storing passwords and other sensitive data.

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 9:42 PM Jeff Atwood

Couldn't we do better than random passwords? Is it helpful to provide a password like "@aEo5!-c" to a user?

This seems like an interesting technological solution to a question nobody was asking. We can do better.

I think a dictionary-based approach would be far friendlier for the user, akin to AOL's old "30 hours free" floppy disk password scheme:

LION+AGAPE
XYLOPHONE$HAPPINESS

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 10:10 PM Scott Mitchell

Jeff, your approach sounds much more usable, but I think Microsoft is a bit worried about dictionary attacks (perhaps overly so... kind of funny how serious Microsoft takes security now to the detriment of usability, when before they seemed to pride usability over security...).

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:03 AM Ben Strackany

Jeff brings up an interesting point. I wonder how many security breaches are caused by people writing their passwords down on paper because they can't remember them.

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:13 AM Scott Mitchell

What's scary is when I go to the doctor's office and I see the receptionist with about five sticky notes on her monitors with (what looks like) passwords for various systems. :-p

# re: Creating Random Passwords in ASP.NET 2.0 11/14/2006 6:12 AM James Cates

Yeah, but those are wavelength-encrypted Post-It notes, whose *true* text has been obfuscated to anyone other than the original writer. I totally agree with Jeff. Too much password complexity makes life unbearable for "amateur" users; it just simply does.

# re: Creating Random Passwords in ASP.NET 2.0 3/22/2007 6:19 PM confused

If I set numberOfNonAlphanumeric to 0, I thought it will return a password only contains alphanumeric chars, but it doesn't. is there a way to achieve this?

Title:  
Name:  
Url:
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments   

Add To Your Reader

My Links

Archives

Post Categories

 

I am a Microsoft MVP for ASP.NET.
I am an ASPInsider.
<May 2008>
SMTWTFS
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567

Comment Stats

DayTotal% of Total
Sunday 1866.8%
Monday 37913.9%
Tuesday 45316.7%
Wednesday 50418.5%
Thursday 53519.7%
Friday 49418.2%
Saturday 1666.1%
Total 2717100.0%

Hour1Total% of Total
12:00 AM 652.4%
1:00 AM 682.5%
2:00 AM 622.3%
3:00 AM 742.7%
4:00 AM 572.1%
5:00 AM 1033.8%
6:00 AM 1084.0%
7:00 AM 1585.8%
8:00 AM 1716.3%
9:00 AM 1475.4%
10:00 AM 1716.3%
11:00 AM 1816.7%
12:00 PM 1886.9%
1:00 PM 1696.2%
2:00 PM 1605.9%
3:00 PM 1324.9%
4:00 PM 1073.9%
5:00 PM 923.4%
6:00 PM 913.3%
7:00 PM 963.5%
8:00 PM 833.1%
9:00 PM 782.9%
10:00 PM 792.9%
11:00 PM 772.8%
Total 2717100.0%

Comments by Blog Entry Date/Time

Day Entry MadeAvg.Total
Sunday 5.54144
Monday 5.22339
Tuesday 4.28419
Wednesday 7.67637
Thursday 6.90607
Friday 5.48411
Saturday 5.33160
Total 5.842717

Hour1 Entry MadeAvg.Total
12:00 AM 5.0035
1:00 AM 1.002
5:00 AM 0.000
7:00 AM 7.0035
8:00 AM 5.35107
9:00 AM 6.32278
10:00 AM 6.47246
11:00 AM 4.41181
12:00 PM 6.88330
1:00 PM 3.00111
2:00 PM 5.41222
3:00 PM 8.64285
4:00 PM 4.0589
5:00 PM 5.92154
6:00 PM 4.52113
7:00 PM 9.67174
8:00 PM 9.80147
9:00 PM 5.05111
10:00 PM 5.4265
11:00 PM 4.5732
Total 5.842717

Learn More About Comment Stats
1 - All times GMT -8...


Blog Stats

Favorite Web Sites

My Books

My MSDN Articles