SqlMembershipProvider.ChangePassword Method (String, String, String)


Modifies a user's password.

Namespace:   System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public override bool ChangePassword(
	string username,
	string oldPassword,
	string newPassword


Type: System.String

The user to update the password for.

Type: System.String

The current password for the specified user.

Type: System.String

The new password for the specified user.

Return Value

Type: System.Boolean

true if the password was updated successfully. false if the supplied old password is invalid, the user is locked out, or the user does not exist in the database.

Exception Condition

username is an empty string (""), contains a comma, or is longer than 256 characters.

- or -

oldPassword is an empty string or longer than 128 characters.

- or -

newPassword is an empty string or longer than 128 characters.

- or -

The encoded version of newPassword is greater than 128 characters.

- or -

The change-password action was canceled by a subscriber to the ValidatingPassword event, and the FailureInformation property was null.

- or -

The length of newPassword is less than the minimum length specified in the MinRequiredPasswordLength property.

- or -

The number of non-alphabetic characters in newPassword is less than the required number of non-alphabetic characters specified in the MinRequiredNonAlphanumericCharacters property.

- or -

newPassword does not pass the regular expression defined in the PasswordStrengthRegularExpression property.


username is null.

- or -

oldPassword is null.

- or -

newPassword is null.


username was not found in the database.


An error occurred while setting the new password value at the database.


An unhandled exception occurred.

This method is called by the Membership class to update the password for a user in the SQL Server database specified in the ASP.NET application's configuration file (Web.config).

The maximum password length is 128 characters.

If an incorrect password is supplied to the ChangePassword method, the internal counter that tracks invalid password attempts is incremented by one. This can result in the user being locked out and unable to log on until the lock status is cleared by a call to the UnlockUser method. If the correct password is supplied and the user is not currently locked out, then the internal counters that track invalid password and password-answer attempts are reset to zero. For more information, see the MaxInvalidPasswordAttempts and PasswordAttemptWindow properties.

You can call the ChangePassword method directly by first obtaining a reference to the SqlMembershipProvider instance through the Provider property of the Membership class. The Provider property exposes the defaultProvider specified in the Web.config file for the application. Configured providers that are not the default provider referenced using the Providers property.

You can also change user passwords by using the ChangePassword method.

Leading and trailing spaces are trimmed from all parameter values.

The following code example modifies the password for the specified user.


This example uses the Provider property of the Membership class to call the SqlMembershipProvider specified as the defaultProvider in the Web.config file. If you need to access the default provider as the type SqlMembershipProvider, you can cast the Provider property of the Membership class. To access other configured providers as a specific provider type, you can access them by their configured name with the Providers property of the Membership class and cast them as the specific provider type.

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<script runat="server">

public void ChangePassword_OnClick(object sender, EventArgs args)
    // Update the password.

    if (Membership.Provider.ChangePassword(User.Identity.Name, OldPasswordTextbox.Text, PasswordTextbox.Text))
      Msg.Text = "Password changed.";

  Msg.Text = "Password change failed. Please re-enter your values and try again.";

<html xmlns="http://www.w3.org/1999/xhtml" >
<title>Change Password</title>

<form id="form1" runat="server">
  <h3>Change Password for <%=User.Identity.Name%></h3>

  <asp:Label id="Msg" ForeColor="maroon" runat="server" />

  <table cellpadding="3" border="0">
      <td>Old Password:</td>
      <td><asp:Textbox id="OldPasswordTextbox" runat="server" TextMode="Password" /></td>
      <td><asp:RequiredFieldValidator id="OldPasswordRequiredValidator" runat="server"
                                      ControlToValidate="OldPasswordTextbox" ForeColor="red"
                                      Display="Static" ErrorMessage="Required" /></td>
      <td><asp:Textbox id="PasswordTextbox" runat="server" TextMode="Password" /></td>
      <td><asp:RequiredFieldValidator id="PasswordRequiredValidator" runat="server"
                                      ControlToValidate="PasswordTextbox" ForeColor="red"
                                      Display="Static" ErrorMessage="Required" /></td>
      <td>Confirm Password:</td>
      <td><asp:Textbox id="PasswordConfirmTextbox" runat="server" TextMode="Password" /></td>
      <td><asp:RequiredFieldValidator id="PasswordConfirmRequiredValidator" runat="server"
                                      ControlToValidate="PasswordConfirmTextbox" ForeColor="red"
                                      ErrorMessage="Required" />
          <asp:CompareValidator id="PasswordConfirmCompareValidator" runat="server"
                                      ControlToValidate="PasswordConfirmTextbox" ForeColor="red"
                                      Display="Static" ControlToCompare="PasswordTextBox"
                                      ErrorMessage="Confirm password must match password." />
      <td><asp:Button id="ChangePasswordButton" Text="Change Password" 
                      OnClick="ChangePassword_OnClick" runat="server" /></td>


.NET Framework
Available since 2.0
Return to top