ASP.NET Membership - keep users to use previous passwords

Question

I created a Membership login system for my client, now they do NOT want the user to use one of his 5 last passwords when it comes time to create a new one.

Is that something that is build in or how could I accomplish that?

Answer 1

This feature doesn't exist on asp.net membership login system. You must implement it by yourself, on the automatic-creating page of changing password.

You need somewhere to save the previous hash list of your users passwords, and check this list, just before accepting a password change.

Update

Where to start:
Start from the all ready existing password change control.

Here is a password change example.
http://www.asp.net/cssadapters/Membership/ChangePassword.aspx

In this control, (that you can easy drag and drop on your page) capture the events,

<asp:ChangePassword ID="ChangePassword1" runat="server"    
 onchangingpassword="ChangePassword1_ChangingPassword" ... >...

Make your function to check for old passwords

 protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
 {
  if (PasswordFoundOnList())
  {
   ... show an error....
   e.Cancel = true;
  }
}

Now save somewhere the last passwords, for example you can saved them on user profile, or on your database.

here are some more informations for user profile. http://www.asp.net/Learn/Ajax/tutorial-03-cs.aspx

Hope this help you make it.