Scott on Writing

Musings on technical writing...

Creating Random Passwords in ASP.NET 2.0

One of the major design goals of ASP.NET 2.0 was to identify common page developer scenarios and to provide customizable, extensible platform support.  One such area in ASP.NET 2.0 is the Membership API, which makes it a breeze to work with user accounts.  In the System.Web.Security namespace you'll find the Membership class, which is designed to “validate user credentials and manage user settings.”

One method in the Membership class is GeneratePassword(length, numberOfNonAlphanumeric), which, as it's name implies, generates a random number of length length with at least numberOfNonAlphanumeric characters that are... non-alphanumeric.  This method using a cryptographically-strong random number generator to grab a random byte array of the desired length.  It then maps these bytes to appropriate alphanumeric and non-alphanumeric characters.  Finally, it ensures that at least the numerOfNonAlphanumeric characters has been injected into the random password; if not, it hunts for alphanumeric characters and replaces them with randomly selected non-alphanumeric characters until the threshold is met.

But what if you're still using ASP.NET 1.x and you need to generate a random password?  What do you do?  Well, why not use Reflector to view the GeneratePassword() method's source code and simply port that back to ASP.NET 1.x code?  That's precisely what I did in my most recent 4Guys article, Generating Random Passwords with ASP.NET.  (In addition to looking at using GeneratePassword() the article also looks at a “quick and dirty” random password generating technique using GUIDs.)

posted on Wednesday, October 12, 2005 9:10 AM

Feedback

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 6:59 PM Milan Negovan

Scott, did you have a chance to pick up a copy of CoDe Magazine at the summit? They have a pretty darn good article by Don Kiely (http://code-magazine.com/Article.aspx?quickid=0509021) where he goes over the many ways to secure data within SQL Server 2005 with symmetric and asymmetric algorithms.

It's pretty fascinating how you can secure only one field, which---I think---will help tremendously with storing passwords and other sensitive data.

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 9:42 PM Jeff Atwood

Couldn't we do better than random passwords? Is it helpful to provide a password like "@aEo5!-c" to a user?

This seems like an interesting technological solution to a question nobody was asking. We can do better.

I think a dictionary-based approach would be far friendlier for the user, akin to AOL's old "30 hours free" floppy disk password scheme:

LION+AGAPE
XYLOPHONE$HAPPINESS

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 10:10 PM Scott Mitchell

Jeff, your approach sounds much more usable, but I think Microsoft is a bit worried about dictionary attacks (perhaps overly so... kind of funny how serious Microsoft takes security now to the detriment of usability, when before they seemed to pride usability over security...).

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:03 AM Ben Strackany

Jeff brings up an interesting point. I wonder how many security breaches are caused by people writing their passwords down on paper because they can't remember them.

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:13 AM Scott Mitchell

What's scary is when I go to the doctor's office and I see the receptionist with about five sticky notes on her monitors with (what looks like) passwords for various systems. :-p

# re: Creating Random Passwords in ASP.NET 2.0 11/14/2006 6:12 AM James Cates

Yeah, but those are wavelength-encrypted Post-It notes, whose *true* text has been obfuscated to anyone other than the original writer. I totally agree with Jeff. Too much password complexity makes life unbearable for "amateur" users; it just simply does.

# re: Creating Random Passwords in ASP.NET 2.0 3/22/2007 6:19 PM confused

If I set numberOfNonAlphanumeric to 0, I thought it will return a password only contains alphanumeric chars, but it doesn't. is there a way to achieve this?

Title:  
Name:  
Url:
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments   

My Links

Ads Via DevMavens

Archives

Post Categories

 

I am a Microsoft MVP for ASP.NET.
I am an ASPInsider.
<March 2010>
SMTWTFS
28123456
78910111213
14151617181920
21222324252627
28293031123
45678910

Comment Stats

DayTotal% of Total
Sunday 2056.8%
Monday 42514.1%
Tuesday 51917.2%
Wednesday 55618.4%
Thursday 58019.2%
Friday 54718.1%
Saturday 1886.2%
Total 3020100.0%

Hour1Total% of Total
12:00 AM 782.6%
1:00 AM 812.7%
2:00 AM 682.3%
3:00 AM 822.7%
4:00 AM 692.3%
5:00 AM 1264.2%
6:00 AM 1193.9%
7:00 AM 1816.0%
8:00 AM 1926.4%
9:00 AM 1585.2%
10:00 AM 1886.2%
11:00 AM 1936.4%
12:00 PM 2016.7%
1:00 PM 1846.1%
2:00 PM 1695.6%
3:00 PM 1354.5%
4:00 PM 1153.8%
5:00 PM 1073.5%
6:00 PM 1013.3%
7:00 PM 1073.5%
8:00 PM 923.0%
9:00 PM 882.9%
10:00 PM 913.0%
11:00 PM 953.1%
Total 3020100.0%

Comments by Blog Entry Date/Time

Day Entry MadeAvg.Total
Sunday 5.00160
Monday 4.80384
Tuesday 4.04477
Wednesday 7.39680
Thursday 6.26676
Friday 5.07466
Saturday 4.78177
Total 5.403020

Hour1 Entry MadeAvg.Total
12:00 AM 5.2937
1:00 AM 1.002
5:00 AM 0.000
7:00 AM 3.8550
8:00 AM 3.72134
9:00 AM 6.06297
10:00 AM 5.63276
11:00 AM 4.22194
12:00 PM 6.16351
1:00 PM 3.09133
2:00 PM 4.89230
3:00 PM 7.67322
4:00 PM 4.00108
5:00 PM 6.07170
6:00 PM 4.64116
7:00 PM 8.95188
8:00 PM 8.63164
9:00 PM 5.00115
10:00 PM 6.31101
11:00 PM 4.5732
Total 5.403020

Learn More About Comment Stats
1 - All times GMT -8...


Blog Stats

Favorite Web Sites

My Books

My MSDN Articles