So, I played with asp:PasswordRecovery and found that I really didn't like it, for several reasons:
1) Alice’s password can be reset even without access to Alice’s email. The security question for password reset mitigates this, but does not really satisfy me.
2) Alice’s new password is sent back to her in clear text. I would prefer to send her a special link to my page (for example, a page, for example example.com/recovery.aspx?P=lfaj0831uefjc), which would allow her to change her password.
I guess I can do it myself by creating some sort of table of expiring password recovery pages and sending these pages to users who asked for a reset. Somehow, these pages can also change user passwords behind the scenes (for example, by manually resetting them and then using the text of the new password to change the password, because the password cannot be changed without knowing the old one). I am sure that others had this problem before, and this solution seems a bit hacked to me. Is there a better way to do this?
An ideal solution does not break encapsulation by directly accessing the database, but instead uses existing stored procedures in the database ... although this may not be possible.
Brian source share