Scott on Writing

Musings on technical writing...

Creating Random Passwords in ASP.NET 2.0

One of the major design goals of ASP.NET 2.0 was to identify common page developer scenarios and to provide customizable, extensible platform support. One such area in ASP.NET 2.0 is the Membership API, which makes it a breeze to work with user accounts. In the System.Web.Security namespace you'll find the Membership class, which is designed to “validate user credentials and manage user settings.”

One method in the Membership class is GeneratePassword(length, numberOfNonAlphanumeric), which, as it's name implies, generates a random number of length length with at least numberOfNonAlphanumeric characters that are... non-alphanumeric. This method using a cryptographically-strong random number generator to grab a random byte array of the desired length. It then maps these bytes to appropriate alphanumeric and non-alphanumeric characters. Finally, it ensures that at least the numerOfNonAlphanumeric characters has been injected into the random password; if not, it hunts for alphanumeric characters and replaces them with randomly selected non-alphanumeric characters until the threshold is met.

But what if you're still using ASP.NET 1.x and you need to generate a random password? What do you do? Well, why not use Reflector to view the GeneratePassword() method's source code and simply port that back to ASP.NET 1.x code? That's precisely what I did in my most recent 4Guys article, Generating Random Passwords with ASP.NET. (In addition to looking at using GeneratePassword() the article also looks at a “quick and dirty” random password generating technique using GUIDs.)

posted on Wednesday, October 12, 2005 9:10 AM

Feedback

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 6:59 PM Milan Negovan

Scott, did you have a chance to pick up a copy of CoDe Magazine at the summit? They have a pretty darn good article by Don Kiely (http://code-magazine.com/Article.aspx?quickid=0509021) where he goes over the many ways to secure data within SQL Server 2005 with symmetric and asymmetric algorithms.

It's pretty fascinating how you can secure only one field, which---I think---will help tremendously with storing passwords and other sensitive data.

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 9:42 PM Jeff Atwood

Couldn't we do better than random passwords? Is it helpful to provide a password like "@aEo5!-c" to a user?

This seems like an interesting technological solution to a question nobody was asking. We can do better.

I think a dictionary-based approach would be far friendlier for the user, akin to AOL's old "30 hours free" floppy disk password scheme:

LION+AGAPE
XYLOPHONE$HAPPINESS

# re: Creating Random Passwords in ASP.NET 2.0 10/12/2005 10:10 PM Scott Mitchell

Jeff, your approach sounds much more usable, but I think Microsoft is a bit worried about dictionary attacks (perhaps overly so... kind of funny how serious Microsoft takes security now to the detriment of usability, when before they seemed to pride usability over security...).

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:03 AM Ben Strackany

Jeff brings up an interesting point. I wonder how many security breaches are caused by people writing their passwords down on paper because they can't remember them.

# re: Creating Random Passwords in ASP.NET 2.0 10/13/2005 9:13 AM Scott Mitchell

What's scary is when I go to the doctor's office and I see the receptionist with about five sticky notes on her monitors with (what looks like) passwords for various systems. :-p

# re: Creating Random Passwords in ASP.NET 2.0 11/14/2006 6:12 AM James Cates

Yeah, but those are wavelength-encrypted Post-It notes, whose *true* text has been obfuscated to anyone other than the original writer. I totally agree with Jeff. Too much password complexity makes life unbearable for "amateur" users; it just simply does.

# re: Creating Random Passwords in ASP.NET 2.0 3/22/2007 6:19 PM confused

If I set numberOfNonAlphanumeric to 0, I thought it will return a password only contains alphanumeric chars, but it doesn't. is there a way to achieve this?

Title:

Name:

Url:

Enter the code you see:

Comments

Remember Me?

Add To Your Reader

My Links

Post Categories

May 2008

Comment Stats

Day	Total	% of Total
Sunday	186	6.8%
Monday	379	13.9%
Tuesday	453	16.7%
Wednesday	504	18.5%
Thursday	535	19.7%
Friday	494	18.2%
Saturday	166	6.1%
Total	2717	100.0%

Hour¹	Total	% of Total
12:00 AM	65	2.4%
1:00 AM	68	2.5%
2:00 AM	62	2.3%
3:00 AM	74	2.7%
4:00 AM	57	2.1%
5:00 AM	103	3.8%
6:00 AM	108	4.0%
7:00 AM	158	5.8%
8:00 AM	171	6.3%
9:00 AM	147	5.4%
10:00 AM	171	6.3%
11:00 AM	181	6.7%
12:00 PM	188	6.9%
1:00 PM	169	6.2%
2:00 PM	160	5.9%
3:00 PM	132	4.9%
4:00 PM	107	3.9%
5:00 PM	92	3.4%
6:00 PM	91	3.3%
7:00 PM	96	3.5%
8:00 PM	83	3.1%
9:00 PM	78	2.9%
10:00 PM	79	2.9%
11:00 PM	77	2.8%
Total	2717	100.0%

Comments by Blog Entry Date/Time

Day Entry Made	Avg.	Total
Sunday	5.54	144
Monday	5.22	339
Tuesday	4.28	419
Wednesday	7.67	637
Thursday	6.90	607
Friday	5.48	411
Saturday	5.33	160
Total	5.84	2717

Hour¹ Entry Made	Avg.	Total
12:00 AM	5.00	35
1:00 AM	1.00	2
5:00 AM	0.00	0
7:00 AM	7.00	35
8:00 AM	5.35	107
9:00 AM	6.32	278
10:00 AM	6.47	246
11:00 AM	4.41	181
12:00 PM	6.88	330
1:00 PM	3.00	111
2:00 PM	5.41	222
3:00 PM	8.64	285
4:00 PM	4.05	89
5:00 PM	5.92	154
6:00 PM	4.52	113
7:00 PM	9.67	174
8:00 PM	9.80	147
9:00 PM	5.05	111
10:00 PM	5.42	65
11:00 PM	4.57	32
Total	5.84	2717