I'm trying to create a process that allows me to limit the non-alphanumeric
characters generated with the PasswordRecovery control. Specially I want to
suppress some characters for security reasons. With textboxes I'm doing this
with a RegularExpressionValidator control and have the following the
following attribute setup:
ValidationExpression="^[a-zA-Z0-9\.\-_@#$%^&+=]{6,100}"
This limits the user input to alphanumeric characters as well of some
selected characters. The problem is when I use the built-in PasswordRecovery
control, I can't find a way to limit the random characters, some of which
cause a validation error within the RegularExpressionValidator control. For
example, the following was created by the PasswordRecovery control for a new
password:
UFa]d+T|!&D9eE
Some of the characters violate my regular expression. So I tried two other
approaches which also have failed. One was to simplify my regular expression
to just check that a minimum and maximum number of characters were passed,
such as:
ValidationExpression="^[\w]{6,100}"
So "UFa]d+T|!&D9eE" should pass this test, but unfortunately it doesn't
because of the bracket ("]") confuses the regex processing.
The other path I explored was creating my own Password Recovery user control
and started coding with MembershipUser.ResetPassword and related functions.
Unfortunately I couldn't find away to reset the user password without having
the current password. Since I'm using the hash method to store the password,
I can't obtain the password via code. Since the user forgot the password, I
can't ask the user for it on the form. It seems like catch-22!
My two questions:
1. Using the PasswordRecovery Control, can I limit the characters that are
randomly generated when the user control is created? Even just limiting to
alphanumeric would be good.
2. Creating my own control, how do I reset the password without knowing the
original password, while using the hash method to store passwords?
