The About screen provides an overview of the current AspNetSqlMembershipProvider settings as well as a summary of limitations imposed as a result of those settings.
If you have not created a membership provider settings section in the web.config
for your application, then the default membership provider settings which are defined
in machine.config, and also most restrictive, will be in use.
The Membership Provider Configuration section provides a summary of the effective configuration settings which affect your web application.
The provider is "SQL membership provider", which corresponds to the description of the default provider AspNetSqlMembershipProvider.
EnablePasswordReset is true by default, which enables the Membership.Provider.ResetPassword method. Note that ResetPassword requires a passwordAnswer by default.
The EnablePasswordRetrieval setting is false, by default, and cannot be set to true if the passwordFormat is Hashed.
MaxInvalidPasswordAttempts defaults to five (5) which means that five unsuccessful login attempts will cause the account to be disabled for a period defined by the PasswordAttemptWindow (see below.)
MinRequiredNonAlphaNumericCharacters causes the provider to reject passwords that do not contain a certain number of non-alpha characters (numbers, symbols, etc.) By default, passwords must contain at least one non-alpha character. Note: If you use the Asp.Net CreateUserWizard to allow for self-service account creation, please be aware that it displays an error message "please use a different password" which does not really inform the user that alpha-numeric characters are required. This message can be adjusted within the control, itself.
MinRequiredPasswordLength causes the provider to reject passwords that are not of at least a particular length. By default, passwords must be at least seven (7) characters in length.
PasswordAttemptWindow is the number of minutes which must pass before a user attempts to log in again after being locked out for too many invalid password attempts. The default is ten (10) minutes. Here again, the Membership Manager control is very handy since it allows a Customer Service Representative to manually unlock a member's password without having to wait the ten minutes.
The default passwordFormat is Hashed (1) which is the most secure but prevents password retrieval. Other passwordFormats are Clear (0) and Encrypted (2).
Check out the article
Be sure to read the article, Asp.Net Membership Password Administration which goes into several of the key membership provider settings.
Also, the topic Configuring provider settings will show you how to configure your own membership provider.
PasswordStrengthRegularExpression is a string that can contain
a regularExpression which defines a required pattern for new passwords.
You might use this, for example to require that the third and eighth characters
are a particular character such as "xx-xxxx-xx". By default, PasswordStrengthRegularExpression
is blank, which means that any pattern may be used.
The requiresQuestionAndAnswer setting is true, by default, which means that provider methods for resetting or retrieving passwords require that a non-blank and valid passwordAnswer is provided. Note that the Membership Manager Control can get around this limitation if the passwordFormat of a specific membership record is clear. In this particular case, the password can be retrieved directly from the underlying database instead of through the provider methods.
RequiresUniqueEmail is false by default and is used to specify whether the AspNetSqlMembershipProvider will allow more than one membership account to utilize the same Email address. The username rather than the e-mail address is considered the primary key for the membership system.
RoleManager Enabled is actually not a setting for the AspNetSqlMembershipProvider, rather it is a setting for the roleManager section which defines how role management is implemented. The AspNetSqlRoleProvider is the default role provider but, by default, it is disabled. The Membership Manager Control is initially configured for use only by members of the Administrator role and if role managment is disabled, the control simply won't work. This is done intentionally to require that you either implement roles or that you consciously clear the control's membershiprole property (perhaps you are implementing the control in a related but secure web site.)
Finally, it is not possible to change the passwordFormat to Encrypted
unless a MachineKey section is defined in web.config. The machineKey
section is separate from the membership section but is
also specified in the application's web.config file under system.web.
Membership Manager Capabilities
While the Membership Manager Control can provide much of the functionality of
AspNetSqlMembershipProvider in a convenient control panel, it is not
intended to circumvent the Microsoft's security model. Apart from a few calls directly
into the AspNet membership and user tables to retrieve data which is already available,
the control is completely dependent on the underlying AspNetSqlMembershipProvider
for most of its own functionality.
Several value-added capabilities, such as the ability for an administrator to reset a member's password to a known value, are delivered through a combination of calls to existing provider methods but still require that provider settings allow use of the methods.
As illustrated, the capabilities section summarizes the limitations of the Membership Manager Control based on the settings in web.config. Even with the default (most restrictive) settings, the control may still be used to look up, unlock and add comments for members. To administratively reset passwords, however, a provider section must be defined in web.config with less restrictive settings.