Here is the scenario… a web application has been implemented with the standard user management features… can create new users, the admin approves the users, can recover passwords and change security question + answer bla bla bla
What happens if a user forgets the password?… simple, just goto the password recovery page and answer the security question and get the new password in the email.
But what if he/she doesn’t remember the answer for the security question???
Well, this is what happened exactly today. Although there were some solutions on the net, they required you to create a temporary Membership provider in the config etc.. which I didn’t like doing.
But for my joy, I found this post that gave me the idea. Although it is not a clean solution to the problem, it was what I wanted for the urgent need of resetting the password (since this won’t happen too often)
The post says that you have to replace the password hash and salt with the password hash and salt of a user whose password you know! What a simple idea. Well, whose password do I know?? mine of course!
So this is what I did:
- Changed my password to something like password_999
- Replaced the user’s (who doesn’t remember the security answer) password hash and salt with my hash and salt
- Changed my password back
- Gave him ‘password_999’ as the password, which he obviously will have to change once he logged in
A more hassle-free solution would be to always have a dummy user account in the Membership database, which we can keep locked or as unapproved. And to make things even simpler, we can deploy an admin’s page that can accept the user name and replace the password hash and salt (copied from the dummy user account)… thanks to Tim Huffam