I was sending password reset token in user's email with the default GeneratePasswordResetToken method but it was quite big like 200 to 300 characters long. I want to make smaller tokens like 5/6 digits long and expire it's life span within 3 minutes. How can I do that?
One way would be like this:
Have a table in your database where you save the reset tokens and their creation datetime.
When a user requests a reset, generate a GUID and save it in that table, then send an email to the user containing a reset link with the token already included.
When the user clicks the link, you check that the token has not expired already and if it hasn't then allow them to change their password.
Once the password has been changed, either mark the token as already used, or simply delete it from your table.
GUIDs are good for this kind of functionality, they are unique enough and impossible to guess.
DO NOT go with anything sequential, or short ( 5, 6 characters ) as those are easy to guess / brute force.