Generating Random Passwords with ASP.NETBy Scott Mitchell
In one of the consulting projects I'm working on a website that has user accounts (like most every non-trivial Web application). User accounts for this site can be created in one of two ways: by the user himself, in which case that user provides their email address and password; or by the user's boss, in which case the boss simply provides his employee's email address. The system then creates a random password for the employee and emails this information to said employee. Upon first logging in to the site, the employee must change the random password.
One of the challenges of this task involved writing the code that would generate a random password. When I needed to
accomplish this, I headed over to 4Guys and searched
for the phrase "random password". Sadly, the only articles on creating a random password here on 4Guys are from the
antequated days of classic ASP, meaning I ended up writing my own ASP.NET random password generator. (This need is moot
with ASP.NET 2.0's
new Membership API; in fact, with 2.0 you can simply call
The purpose of this article is to provide a random password generator for ASP.NET. There are a number techniques for creating a random password, and these techniques are explored, along with source code. Read on to learn more!
Quick and Dirty Random Password Generation Using GUIDs
The simplest random password generation scheme with ASP.NET is to return a portion of a GUID. A GUID is a Globally Unique ID, a 128-bit number that can be quickly generated with one method call, producing a hexidecimal string that can be used as a random password. To create a new GUID, use the
NewGuid()method. Then, the
.ToString()method can be used to create a string version of this. Here's some example code:
Each time this code is run a new, globally unique number will be generated. Here's the output of this code when run five times (you can refresh the page and you'll see five new results):
Typically I strip out the hyphens (
-) and then return the first n characters of the GUID. To generalize
this technique, let's create a method called
GetRandomPasswordUsingGUID(length) that accepts as input
the length of the random password and returns the first length characters of a GUID (with the hyphens removed).
The following shows this output of this method when called with length values of 5, 10, and 15, respectively.
(Again, you can refresh the page and you'll see different random passwords, as each time
is called, a new, unique identifier is created.)
Random password of length 5:d9c44
Random password of length 10: 0775fee2fd
Random password of length 15: 8e1532e31df2470
A More Robust Random Password Generator
This nice thing about the GUID approach for creating random passwords is that it is easy to implement and use. However, it leaves you with no control over the resulting output, and only generates passwords with alphanumeric characters (and only with letters ranging from a to f). What if you want to impose certain security guidelines, such as requiring a random password with a certain number of non-alphanumeric characters, or a random password that uses a wider range of random characters (such as drawing from the entire alphabet)? Or what if, for some reason, you didn't want numbers in the random password? Or you wanted to make the password case-sensitive (again, with the GUID approach you only have six letters and they are all lowercase).
A more robust solution would be to create a
password generator that mirrors the behavior of the ASP.NET 2.0 Membership API's method with the same name. This method -
which is what you should use if you're using 2.0 - allows the page developer to specify the random password's length and
the number of non-alphanumeric characters. Furthermore, it uses the
class, which is a cryptographically strong random number generator. (In English, that means that the algorithm does not suffer
from having characteristics which make it possible to better guess upcoming random numbers based on past random numbers produced.)
If you are stuck in the ASP.NET 1.x world like yours truly, then you'll need to roll your own
method. But wait, why duplicate the efforts of the ASP.NET team? Why not just use their code? With a little help from
Reflector this is a cinch. Here is the code for the
Membership.GeneratePassword(length, numberOfNonAlphanumericCharacters) method, along with
a live demo.
Note: I tweaked the
GetPassword() method in that I removed some of the potentially dangerous non-alphanumeric
&). ASP.NET 2.0 does a check to ensure that the randomly generated password
can't be used in a cross-site scripting attack, and the characters it checks for is
&. I just removed these to avoid needing to include the code for the XSS check...
In this article we examined two techniques for generating random passwords using ASP.NET. In the first technique we used a GUID, stripped out the hyphens, and then returned the first length characters of the GUID. This approach is a quick and easy way to generate a random password. However, it lacks in sophistication in that its potential pool of characters is rather limited (a-f and 0-9).
A more robust and elegant random password generator can be seen in ASP.NET 2.0's
method. If you are using 2.0 most definitely take advantage of this method. If you are still using ASP.NET 1.x, however, you'll
need to create your own password generator if you need an approach more robust than the GUID approach first examined.
In this article we saw how to 'copy' 2.0's
GeneratePassword() method using Reflector.