i have been assigned an application that needs a bit of rewriting. One the things we need to do is to replace how password resets are done. Currently, the user enters the user email address and the clicks on a button that sends the password to the user's email, so he can log in with that password. Clearly this is not very good, but in the process of making the design more secure, i am running into some issues. One of them is what is the best way of resetting the password.
I modified the page that sends the user password to just send the user an email with a link to a page where he or she can change the password. I have used the user email, the first and last name and a token the guid to create a token, and used a sample app from mircrosoft site for triple DES to encrypt all of those into one encrypted token. I add that encrypted token to the url that is inserted in the email sent to the user.
Can anyone give me an idea as to what is the best way of resetting passwords?
The reason i am asking is because i have been runnning into a problem when i try to decrypt the token. I keep getting an error "invalid length for a base 64 char array" even though the code i used is a carbon copy of the example from microsoft site:"Walkthrough: Encrypting and Decrypting Strings in Visual Basic". So, i thought heck, instead of struggling with this even though it is a great exercise, how about if i just send the user to the reset password page that we have set up?
Sorry for the verbose question?