Sergey is absolutely correct. Let me summarize all comments and put my thoughts.
You should store the encrypted version of password, not the exact password, in your database. When somebody forget password, you will ask for the email id or other details according to your business logic. Then you send one reset link with a temporary password (if you can), by which the user can provide one new password for the account.
Now, you take this new password and store it again in database in encrypted format. Don't store the exact password in plain text format.
Coming to the exception...
Quote:
Exception Details: System.FormatException: The specified string is not in the form required for an e-mail address
Seems like issue is with the
toAddress
. Debug and see what is the value in the below line.
var toAddress = dt.Rows[0][0].ToString();