How do I enforce strong passwords using membership feature in ASP.NET 2.0

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

You can enforce strong passwords using membership by configuring the attributes minRequiredPasswordLength, minRequiredNonAlphanumericCharacters, and passwordStrengthRegularExpression on your membership provider configuration. Strong passwords help defend against brute force attacks and dictionary attacks. The default password strength is set to a minimum password length of 7 characters with at least 1 non-alphanumeric character for both SqlMembershipProvider and ActiveDirectoryMembershipProvider. If you are using the ActiveDirectoryMembershipProvider with Active Directory, your domain password policy is used by default, although you can further strengthen password policy by overriding this with your membership configuration by using the attributes listed earlier. Similarly, if you are using ActiveDirectoryMembershipProvider with ADAM, your local password policy is used, although you can override this with your membership configuration.

If you need to configure your membership provider to enforce specific strong password rules, you can use regular expressions, or you can set specific max and min requirements for numeric, alhpabetic and alphanumeric characters.

  • Using regular expression*
  <membership ...>
     <providers>
        <add passwordStrengthRegularExpression= 
                   "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" .../>
     </providers>
  </membership>
  • Using minimum length and non-alphanumeric character*
<membership ...>
 <providers>
   <add minRequiredPasswordLength=10 minRequiredNonalphanumericCharacters=2 .../>
 </providers>
</membership>

More Information

For more information on enforcing strong password, see "How To: Protect Forms Authentication in ASP.NET 2.0" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000012.asp

Personal tools