Membership in the .NET framework 2.0 allows you to add security to your application with little to no code. When trying to enforce strong password rules in our church software I encountered an interesting problem. At first I modified the web.config by adding the following line to our membership provider section. passwordStrengthRegularExpression="(?=.{8,})[a-z]+[^a-z]+|[^a-z]+[a-z]+" RegEx explained: 8 characters or more in length, at least 1 lowercase letter, at least 1 character that is not a lower letter. I removed: minRequiredPasswordLength="0" minRequiredNonalphanumericCharacters="1" After some testing I found that even when following the password rules, a password change would fail. The ChangePassword control, which is part of the Login suite of controls, doesn’t give you any information as to why the password changed failed. After a few reviews of my RegEx and confirming that the syntax is correct in code and with some useful online regular expression testers (see links below), I tried changing the password using the following code: MembershipUser mUser = Membership.GetUser(); // gets the current logged in user //change the password mUser.ChangePassword(mUser.GetPassword(), “invalidpassword”); That caused the following exception: System.ArgumentException: Non alpha numeric characters in 'newPassword' needs to be greater than or equal to '1'. So I added this line: minRequiredNonalphanumericCharacters="0" And our password complexity rule started working properly. I won’t start a debate on the merit of setting the minimum required non alphanumeric characters (say that ten times) to 1, but hopefully this will help someone somewhere some time. Links: JavaScript Regular Expression Tester http://www.roblocher.com/technotes/regexp.aspx .NET Regular Expression Tester http://www.dotnetcoders.com/web/Learning/Regex/RegexTester.aspx
MembershipUser mUser = Membership.GetUser(); // gets the current logged in user //change the password mUser.ChangePassword(mUser.GetPassword(), “invalidpassword”);
No Comments