One of the first things many people try with ASP.NET V2.0
(currently in Beta 2) and with the starter kits is to create a new user. Creating
a new user will be common in ASP.NET version 2.0, whether it is the
CreateUserWizard, a starter kit form, or using the Membership namespace from
code. Immediately following that is often a sigh of frustration when a fairly
non-descriptive error occurs: "Please enter a different password." What
is that supposed to mean? Is it recommending passwords for us now and not
pleased with the one we chose? Did the passwords not match? Even carefully
double-checking and trying again with a password that is 7 characters and has
numbers and upper case and lower case letters triggers this non-descriptive
error.
The issue is simply this: ASP.NET V2.0, at the time of
writing, has a password complexity requirement of 7 characters and at last 1
non-alphanumeric character. For example, "Complex592PaSsWoRd" is not
complex enough. A space or a special character is required. Now, being
cautious about security is one thing, but many of the V2.0 sites out there now
are test sites, personal or club starter kits, or something fairly light. Personally,
I like to loosen the requirements somewhat, or even loosen them a lot and allow
the user to determine how complex he or she wants the password.
Fortunately, there are a couple of solutions and neither is
too complex. The first solution is to enter a more complex password. The
second is to override the default complexity requirement and put in your own.
The provider that controls this is the membership provider. This
is set by default in the machine.config file on the server. It can be changed
at the machine.config file or overridden in the web.config file at the site
level.
The two properties that control this are
minRequiredPasswordLength and minRequiredNonalphanumericCharacters. They are
not in machine.config or by default in the Beta 2 timeframe. I am not sure if
there are plans to change this or not. To override it, simply add them to the
<add name="AspNetSqlMembershipProvider" /> section. The
minRequiredPasswordLength property must be at least 1, while the
minReqiredNonalphanumericCharacters property can be 0. Here is an example of
the two lines to add that will remove the requirements completely and allow the
user to decide on his or her password. Do not hold me accountable if you open
this too much, but I give this example as the other extreme of the default
settings.
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
Now, let us say we want to do this at the web.config level. This
is easy enough too. The hitch is that because it already exists at the
machine.config level, there will be a clash between the two. So, you must
first "remove" the provider that is defined at the machine level and
add the adjusted one back at the site level. This can all be done from your
web.config file. To remove the existing one, (I am assuming default names) you
use
<remove name="AspNetSqlMembershipProvider"/>.
Here is an example of a complete web.config file that could
be used. If you have an existing web.config file that you want to work this into,
take the section below from <membership> to </membership>, and
place it in your <system.web> section.
<?xml version="1.0"?>
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
<remove name="LocalSqlServer"/>
<add name="LocalSqlServer"
connectionString="Data Source=.\SQLExpress;Integrated
Security=True;User
Instance=True;AttachDBFilename=|DataDirectory|aspnetdb.mdf"/>
</connectionStrings>
<system.web>
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
</system.web>
</configuration>
Of course, anything in my example can be adjusted however
you want, as long as it is within an allowed range. Take note especially of
the connectionStringName, which is referenced in the ConnectionString section
of web.config and/or machine. config. If you changed your connection string
name, then make sure to update the reference to that connection string there. Another
thing to take note of is the connection string in this example. That connection
string will only work if SQL Server Express is installed on the server and
"user instancing" is enabled. At ORCS Web for example, we disable
user instancing (because of security considerations), create a database for
clients when first setting up sites, and then we provide an alternative
connection string which should be used instead.
That is it. Once you set this, you will be able to have a
password that is not quite so complex. This quick example only briefly covers
other considerations, like the connectionStringName, user instancing, type of
database used and additional properties, but I hope it gives enough information
to lay the foundation of managing the password complexity within ASP.NET v2.0.