Resetting ASP.NET password - security issues?

Question

I\'ve seen various questions regarding this issue, but there are a couple of questions that haven\'t been asked. If the user forgets their password, I would like them to be

Answer 1

Your means of authenticating the user is a shared secret (the password).

If the user forgets that secret, you need a way of establishing a new shared secret. No matter what way you go about it, you'll still have the problem of authenticating the user in order to share that new secret.

If the only thing you know about the user that could be used to authenticate them is their email address, then you'll need some way to confirm that the user requesting a reset is in control of that email address.

And the only way so far to do that is to email a secret to that email address and check if they received it.

Which is always going to be open to a sufficiently sneaky MitM attack.

The reason you don't send a temporary password is to avoid the issue of "the user can't be bothered changing and so keeps using the insecure temporary password instead of their own secure one."