Changing the Password Complexity in ASP.NET V2.0
page 1 of 1
Published: 31 May 2006
Unedited - Community Contributed
Abstract
This article shows you how to tweak passwords in ASP.NET 2.0.
by Web Team at ORCS Web
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 11078/ 15

 

One of the first things many people try with ASP.NET V2.0 (currently in Beta 2) and with the starter kits is to create a new user.  Creating a new user will be common in ASP.NET version 2.0, whether it is the CreateUserWizard, a starter kit form, or using the Membership namespace from code.  Immediately following that is often a sigh of frustration when a fairly non-descriptive error occurs: "Please enter a different password."  What is that supposed to mean?  Is it recommending passwords for us now and not pleased with the one we chose?  Did the passwords not match?  Even carefully double-checking and trying again with a password that is 7 characters and has numbers and upper case and lower case letters triggers this non-descriptive error.

The issue is simply this: ASP.NET V2.0, at the time of writing, has a password complexity requirement of 7 characters and at last 1 non-alphanumeric character.  For example, "Complex592PaSsWoRd" is not complex enough.  A space or a special character is required.  Now, being cautious about security is one thing, but many of the V2.0 sites out there now are test sites, personal or club starter kits, or something fairly light.  Personally, I like to loosen the requirements somewhat, or even loosen them a lot and allow the user to determine how complex he or she wants the password.

Fortunately, there are a couple of solutions and neither is too complex.  The first solution is to enter a more complex password.  The second is to override the default complexity requirement and put in your own.

The provider that controls this is the membership provider.  This is set by default in the machine.config file on the server.  It can be changed at the machine.config file or overridden in the web.config file at the site level.

The two properties that control this are minRequiredPasswordLength and minRequiredNonalphanumericCharacters.  They are not in machine.config or by default in the Beta 2 timeframe.  I am not sure if there are plans to change this or not.  To override it, simply add them to the <add name="AspNetSqlMembershipProvider" /> section.  The minRequiredPasswordLength property must be at least 1, while the minReqiredNonalphanumericCharacters property can be 0.  Here is an example of the two lines to add that will remove the requirements completely and allow the user to decide on his or her password.  Do not hold me accountable if you open this too much, but I give this example as the other extreme of the default settings.

minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0" 

Now, let us say we want to do this at the web.config level.  This is easy enough too.  The hitch is that because it already exists at the machine.config level, there will be a clash between the two.  So, you must first "remove" the provider that is defined at the machine level and add the adjusted one back at the site level.  This can all be done from your web.config file. To remove the existing one, (I am assuming default names) you use

<remove name="AspNetSqlMembershipProvider"/>

Here is an example of a complete web.config file that could be used.  If you have an existing web.config file that you want to work this into, take the section below from <membership> to </membership>, and place it in your <system.web> section.

<?xml version="1.0"?>
<configuration 
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
  <remove name="LocalSqlServer"/>
  <add name="LocalSqlServer" 
connectionString="Data Source=.\SQLExpress;Integrated
  Security=True;User 
Instance=True;AttachDBFilename=|DataDirectory|aspnetdb.mdf"/>
</connectionStrings>
<system.web>
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
</system.web>
</configuration>

Of course, anything in my example can be adjusted however you want, as long as it is within an allowed range.  Take note especially of the connectionStringName, which is referenced in the ConnectionString section of web.config and/or machine. config.  If you changed your connection string name, then make sure to update the reference to that connection string there.  Another thing to take note of is the connection string in this example.  That connection string will only work if SQL Server Express is installed on the server and "user instancing" is enabled.  At ORCS Web for example, we disable user instancing (because of security considerations), create a database for clients when first setting up sites, and then we provide an alternative connection string which should be used instead.

That is it.  Once you set this, you will be able to have a password that is not quite so complex. This quick example only briefly covers other considerations, like the connectionStringName, user instancing, type of database used and additional properties, but I hope it gives enough information to lay the foundation of managing the password complexity within ASP.NET v2.0.



User Comments

Title: merci   
Name: Rshiya
Date: 2012-05-16 6:52:23 AM
Comment:
merci c'est parfait
Title: great   
Name: hassan
Date: 2009-11-12 6:59:20 PM
Comment:
very nice explain and thanks for take your time for us
Title: Great   
Name: shail
Date: 2009-03-05 3:06:04 PM
Comment:
Thanks. Its work perfect.
Title: Excellent! Thanks!   
Name: Darrel Sparzo
Date: 2009-03-03 1:53:44 PM
Comment:
I have been looking & yours is simplest and actually works!
Title: changing the password complexity   
Name: rajeev kumar
Date: 2009-01-18 11:34:30 AM
Comment:
hi
thank u a lot.finally i got what i want
Title: thank you   
Name: Ibrahim
Date: 2008-07-07 5:37:51 AM
Comment:
it works properly and you saved my time.
Title: Finally something that works   
Name: Tom
Date: 2008-03-12 7:53:23 AM
Comment:
I have been looking to numerous 'solutions' for this problem, this is the first article that actually copy-paste-works. Thx for that
Title: Re: Small Correction to web.config code   
Name: Scott Forsyth
Date: 2006-08-28 8:39:55 AM
Comment:
Hi Samart3,

Thanks for pointing that out. This must have happened when publishing the article. I'll see that that is fixed.
Title: Small Correction to web.config code   
Name: Samart3
Date: 2006-08-27 8:06:56 PM
Comment:
The section for web.config has a small typo!

It is on Line 5, 14, 15 - a space is needed between in "removename =" or "addname =" They should read "remove name =" or "add name ="

Once fixed this worked great!

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-03-29 3:37:39 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search