I was just wondering how I could check (when a user is changing password after the password expires) how I could use (in WebMatrix) an if branch to ensure that the new password does not equal the previous password.
I don't think I want to check for any more password history beyond just the last password used, so as long as I can just check the previous password, I think that will be fine.
I could of course query the database and check, but as the password doesn't get stored in plain text, I know that this won't work, but I also checked on the WebSecurity methods here:
http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity(v=vs.111).aspx
and didn't find anything.
What is the best way to get this done?
Since the password is not stored in the database, there is no way for you to do this, unless you make a note of the password when the user first registers, and whenever they subsequently change it.
The irony here is that by storing the original password (even in an encrypted state), you actually reduce the security of your application.