I have an C# asp.net app using the default Sql MembershipProvider. My web.config has a few settings that control how I’m using this Provider:

enablePasswordRetrieval="false" 
enablePasswordReset="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" 
minRequiredPasswordLength="5" 

The problem I’m running into is that when people reset their passwords, it seems the ResetPassword() method returns a password that is longer than I want and has characters that can be confusing (l,1,i,I,0,O). Furthermore, I’m sending my users an email with a plain-text message and an HTML message (I’m using MailMessage with AlternateViews). If the password has unsafe HTML characters in it, when the email clients render the HTML text the password might be different (e.g. the %, &, and < aren’t exactly HTML safe).

I’ve looked over the “add” element that belongs in the web.config, but I don’t see any extra configuration properties to only include certain characters in the ResetPassword() method and to limit the password length.

Can I configure the ResetPassword() method to limit the password length and limit the character set it is choosing from?

Right now I have a workaround: I call ResetPassword() to make sure the supplied answer is correct, and then I use a RandomPassword generator I downloaded off the internet to generate a password that I like (without ambiguous characters, HTML safe, and only 8 characters long) and then I call ChangePassword() to change the user’s password after I’ve already reset it.

My workaround seems kludgy and I thought it would be better to configure ResetPassword() to do what I want.

Thank you~!

ColoradoTechie