1

Im a beginner programming in asp.net. I have mysql integration for the identity in ASP.NET with this powerful tutorial...

The question is: How to Create a default password (ex: default) after i create an employee data with this function:

Controller:

[HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult Create(dbemployee dbemployee)
        {
            if (ModelState.IsValid)
            {                
                db.dbemployees.Add(dbemployee);
                db.SaveChanges();
                return RedirectToAction("Index");
            }

            ViewBag.iDept = new SelectList(db.dbtodepts, "iDept", "sDept", dbemployee.iDept);
            ViewBag.iSmokers = new SelectList(db.dbtoflagies, "iFlag", "sFlag", dbemployee.iSmokers);
            ViewBag.iEmpGender = new SelectList(db.dbtogenders, "iGender", "sGender", dbemployee.iEmpGender);
            ViewBag.iGrade = new SelectList(db.dbtogrades, "iGrade", "sGrade", dbemployee.iGrade);
            ViewBag.iJob = new SelectList(db.dbtojobs, "iJob", "sJobName", dbemployee.iJob);
            ViewBag.iEmpLastEdu = new SelectList(db.dbtolasteducations, "iLastEdu", "sLastEdu", dbemployee.iEmpLastEdu);
            ViewBag.iEmpMaritalStat = new SelectList(db.dbtomaritalstats, "iMaritalStat", "sMaritalStat", dbemployee.iEmpMaritalStat);
            ViewBag.iEmpReligion = new SelectList(db.dbtoreligions, "iReligion", "sReligion", dbemployee.iEmpReligion);
            return View(dbemployee);
        }

Of course this function is autogenerated by scaffolding, and my imagine is should add the code like this: 

RegisterViewModel reg = new RegisterViewModel(); 
          reg.Password.Insert("default").GetHashCode.ToString();

And as we know, the code above is totally wrong.. Sorry for my english skill, but i hope someone understand my case. Thanks.. :)

kyzeofsd
  • 9
  • 4
Hafidz Fairiz
  • 63
  • 11
  • There *was* a duplicate question this week (or maybe last week) - how to generate a password (NOT default, that's just asking to get hacked). The quick & dirty answer was to use the GeneratePassword functionality from the *old* Membership provider. Have to search for the duplicate to find how to do this for Identity – Panagiotis Kanavos Apr 08 '16 at 11:00
  • 1
    Check [this](http://stackoverflow.com/questions/28480167/asp-net-identity-generate-random-password) question but *not* the accepted answer. Identity does *not* generate passwords, it sends reset links. It's safer than sending even a randomly generated password in clear text. You can use the same functions as eg the `Reset` page in the MVC template to generate a single-use reset token and send it to new users, forcing *them* to select a new password. This is better because a) the token can't be reused and b) it expires, reducing the risk from accidental disclosure – Panagiotis Kanavos Apr 08 '16 at 11:06
  • Thaks for the comment @PanagiotisKanavos ... But can u give me some reference link about your 2nd comment. I interested with your logic. – Hafidz Fairiz Apr 08 '16 at 11:24
  • 1
    You have to consider users, and users are simply lazy. It sounds bad but it's true, nonetheless. If you give them a default password, they will use that. Then, all your users (or at least a large majority) are all using the same password, which is bad. If you generate a password and send it to them by email, it's *better*, but they still won't change it. That will just be their password. But, if like Identity does, you only generate a reset, the user is forced to choose a new password, after clicking the link in the email. This makes your app infinitely more secure. – Chris Pratt Apr 08 '16 at 12:41
  • Similarly with Panagiotis Kanavos, but you make me feel more considered how bad the question i have.. :D Thanks @ChrisPratt.. – Hafidz Fairiz Apr 10 '16 at 01:30

1 Answers1

2

ASP.NET Identity does not include default password creation methods, as it relays on password reset links, that are way safer way of handling passwords. Have you considered that approach in your app?

Maciej
  • 93
  • 4