asp.net mvc5 OWIN
Guys,
I implemented owin authentication user and all works fine. I have one problem that i can't figure how to implement.
i'm trying to reset password for user, and the only things the framework provided is this method:
example:
Usermanager.ResetPassword(
I would like to reset the password without passing any token and sent email to user. what I would like to do is to reset the password and tell user what is new password :).
There is a way to do it that way?
I implemented owin authentication user and all works fine. I have one problem that i can't figure how to implement.
i'm trying to reset password for user, and the only things the framework provided is this method:
example:
Usermanager.ResetPassword(
I would like to reset the password without passing any token and sent email to user. what I would like to do is to reset the password and tell user what is new password :).
There is a way to do it that way?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your message, but I think that I didn't explained all my scenario.
I'm building this authentication for internal users and my requirements was to let only the Admin the access of managing users.
In the solution I provide the Admin will not be able to know the password users have as its stored in the database as a hashing password or reset, but he will be able to remove and add new password to the default password the company agree on, then the user in the first login will type the default password and will require to change the password to the one he likes(of course depend on policy).
Let me know if you still see any concern regarding this implementation.
"Kinda of active directory logic"
Thanks,
I'm building this authentication for internal users and my requirements was to let only the Admin the access of managing users.
In the solution I provide the Admin will not be able to know the password users have as its stored in the database as a hashing password or reset, but he will be able to remove and add new password to the default password the company agree on, then the user in the first login will type the default password and will require to change the password to the one he likes(of course depend on policy).
Let me know if you still see any concern regarding this implementation.
"Kinda of active directory logic"
Thanks,
1. A password is a secret. The only way two people can keep a secret is if one is dead.
2. Most systems don't store the plaintext password. They store a salted hash of the password this means that you can't send the user the password. If you go to a site and the site does offer you the recovery method which sends you the password it is insecure.
3. Implementing your proposed method allows someone other than the user to change the password. Another no-no. See Point #1