The first thing to note is that use of the PasswordRecovery control requires that you are also using the ASP.NET 2.0 Membership system. This is a good thing, however, because the ASP.NET 2.0 Membership system and the associated controls make the creation of applications with authentication and authorization of page resources straightforward.
The PasswordRecovery control works by emailing the user's forgotten password, so the <smtpMail /> configuration section must be set to use a valid SMTP server and port. Also, use of the PasswordRecovery control requires that the Membership system be set up to allow password retrieval, and the passwords must actually be stored in a recoverable format and not hashed. This can be accomplished by adding the following attributes to the <membership /> configuration section:
passwordFormat="Clear" or passwordFormat="Encrypted"
The <mailDefinition /> section of the <PasswordRecovery> control can be used to set the FROM email address on the password recovery emails.
Using the control with these settings will enable you to easily create a base-level of password recovery functionality. If you would also like to take advantage of the question/answer functionality that requires a correct response to a user-defined question before sending the user's password, set the following attribute in the <membership /> configuration:
The PasswordRecovery control should make it easy to add reasonably secure password recovery features to your ASP.NET 2.0-based application. For more information see the MSDN documentation on the PasswordRecovery class.
This was first published in October 2007