This documentation is archived and is not being maintained.

How to: Enable User Password Recovery Using the ASP.NET PasswordRecovery Control

If your application uses ASP.NET membership for authentication, you can enable password recovery in your application using the PasswordRecovery control. Your application will send users either their current password or a new password, depending on how your membership provider is configured. By default, ASP.NET hashes passwords using a non-reversible encryption scheme, so a new password is sent to the user. If your membership provider is configured to encrypt passwords or store passwords in clear text (which is not recommended), then the user's current password is sent.

To recover a password, your application must be able to send an e-mail message to the user. Your application must therefore be configured with the name of an SMTP server to which it can forward e-mail messages. For more information, see the SmtpClient class and How to: Install and Configure SMTP Virtual Servers in IIS 6.0.

To enable password recovery

  1. Create or edit an ASP.NET Web page on your site that is accessible to anonymous users (for example, RecoverPassword.aspx). In an authenticated Web site, you can use the location configuration element to specify that a page can be accessed anonymously, as shown in the following example:

      <location path="RecoverPassword.aspx">
            <allow users="?" />
        <authentication mode="Forms" >
          <forms loginUrl="UserLogin.aspx" />
          <deny users="?" />
  2. Place a PasswordRecovery control on the page as shown in the following example:

    <asp:PasswordRecovery ID="PasswordRecovery1" Runat="server">
  3. Optionally configure the following templates to customize the appearance of that PasswordRecovery control: UserNameTemplate, QuestionTemplate, and SuccessTemplate.