Changing Password without the Old Password - ASP.NET Membership API

Overview

It's common for a system administrator to be able to change a user's password without knowing the old password. However, the ASP.NET Membership API doesn't have a method for doing this directly. This article explains a work-around, which proceeds in the following steps.

  1. In our web.config file, we configure a second, administrative membership provider that doesn't require the question/answer combination.
  2. Using this administrative membership provider, we call the MembershipUser.ResetPassword method to have the system generate a new password for the user
  3. Using this system-generated password as the "old" password, we change the user's password to whatever we need.

Solution

Web.Config

You will need to have a second membership providers configured for administrative purposes. Note that requiresQuestionAndAnswer is false for the admin provider.

<membership defaultProvider="MyMembershipProvider">
  <providers>
    <clear/>
    <add
        name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="/"
        connectionStringName="MySqlClient" enablePasswordRetrieval="false" enablePasswordReset="true"
        requiresQuestionAndAnswer="true" requiresUniqueEmail="false" maxInvalidPasswordAttempts="1000"
        minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
        />
    <add
        name="MyMembershipProviderAdmin" type="System.Web.Security.SqlMembershipProvider" applicationName="/"
        connectionStringName="MySqlClient" enablePasswordRetrieval="false" enablePasswordReset="true"
        requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5"
        minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
        />
  

Application Code

System.Web.Security.MembershipUser user 
    = Membership.Providers["MyMembershipProviderAdmin"].GetUser(userName, false);

//If the admin does not supply a password then
//the system will reset password to system defined password
//and we will change that to the specified password
if (currentPassword == "")
    currentPassword = user.ResetPassword();

bool IsUpdated = user.ChangePassword(currentPassword, password);