Changing the Password Complexity in ASP.NET V2.0
Scott Forsyth
May 26, 2005
One of the first things many people try with ASP.NET V2.0 (currently in Beta 2)
and with the starter kits is to create a new user. Creating a new user will be common
in ASP.NET version 2.0, whether it is the CreateUserWizard, a starter kit form or
using the Membership namespace from code. Immediately following that is often a
sigh of frustration when a fairly non-descriptive error occurs: "Please enter a different password." What is that supposed to mean? Is it recommending passwords
for us now and not pleased with the one we chose? Did the passwords not match? Even
carefully double checking and trying again with a password that is 7 characters
and has numbers and upper case and lower case letters triggers this non-descriptive
error.
The issue is simply this: ASP.NET V2.0, at the time of writing, has a password complexity
requirement of 7 characters and at last 1 non-alphanumeric character. For example,
'Complex592PaSsWoRd' isn't complex enough. A space or a special character is required.
Now, being cautious about security is one thing, but many of the V2.0 sites out
there now are either test sites, personal or club starter kits or something fairly
light. Personally I like to loosen the requirements somewhat, or even loosen them
a lot and allow the user to determine how complex they want their password.
Fortunately there are a couple solutions and neither are too complex. The first
solution obviously is to enter a more complex password. The second is to override
the default complexity requirement and put in your own.
The provider that controls this is the membership provider. This is set by default
in the machine.config file on the server. It can be changed at the machine.config
file or overridden in the web.config file at the site level.
The two properties that control this are minRequiredPasswordLength and minRequiredNonalphanumericCharacters.
They aren't in machine.config by default in the Beta 2 timeframe. I'm not sure if
there are plans to change this or not. To override it, simply add them to the <add
name="AspNetSqlMembershipProvider" /> section. The minRequiredPasswordLength
property must be at least 1, while the minReqiredNonalphanumericCharacters property
can be 0. Here is an example of the two lines to add which removes the requirements
completely and allows the user to decide on their password. Don't hold me accountable
if you open this too much, but I give this example as the other extreme of the default
settings.
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
Now, let's say we want to do this at the web.config level. This is easy enough too.
The gotcha is that because it already exists at the machine.config level, there
will be a clash between the two. So, you must first "remove" the provider that is
defined at the machine level and add the adjusted one back at the site level. This
can all be done from your web.config file. To remove the existing one, (I'm assuming
default names) you use
<remove name="AspNetSqlMembershipProvider" />
Here is an example of a complete web.config file that could be used. If you have
an existing web.config file that you want to work this into, take the section between
and including <membership> and </membership> and place it in your <system.web>
section.
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/
.NetConfiguration/v2.0">
<connectionStrings>
<remove name="LocalSqlServer"/>
<add name="LocalSqlServer" connectionString="Data Source=
.\SQLExpress;Integrated Security=True;User
Instance=True;AttachDBFilename=|DataDirectory|aspnetdb.mdf" />
</connectionStrings>
<system.web>
<membership>
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
</system.web>
</configuration>
Of course anything in my example can be adjusted however you want as long as it
is within an allowed range. Take note especially of the connectionStringName which
is referenced in the ConnectionString section of web.config and/or machine. config.
If you changed your connection string name, then make sure to update the reference
to that connection string there. Another thing to take note of is the connection
string in this example. That connection string will only work if Sql Server Express
is installed on the server and "user instancing" is enabled. At ORCS Web for example,
we disable user instancing (because of security considerations), create a database
for clients when first setting up sites, and then we provide an alternative connection
string which should be used instead.
That's it. Once you set this, you'll be able to have a password that isn't quite
so complex. This quick example only briefly covers other considerations like the
connectionStringName, user instancing, type of database used and additional properties
but I hope it gives enough information to lay the foundation of managing the password
complexity within ASP.NET v2.0.
Scott Forsyth is the Director of IT
with ORCS Web, Inc.
- a company that provides managed hosting solutions for clients who develop and deploy their applications on Microsoft Windows platforms. Services include shared hosting, dedicated hosting, and webfarm hosting, with specialty in .Net, SQL Server, and architecting highly scalable solutions.