Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.

Cloud Resources

IIS Resources

Changing the Password Complexity in ASP.NET V2.0

One of the first things many people try with ASP.NET V2.0  (currently in Beta 2) and with the starter kits is to create a new user.  Whether it is the CreateUserWizard, a starter kit form or using the membership namespace from code, creating a new profile is going to happen.  Immediately following that is often a sigh of frustration when a fairly non-descriptive error occurs: "Please enter a different password."  What is that supposed to mean?  Is it recommending passwords for us now and not pleased with the one we chose?  Did the passwords not match?  Even carefully double checking and trying again with a password that is 7 characters and has numbers and upper case and lower case letters triggers this non-descriptive error.

The issue is simply this: ASP.NET V2.0, at the time of writing, has a password complexity requirement of 7 characters and at last 1 non-alphanumeric character.  For example, 'Complex592PaSsWoRd' isn't complex enough.  A space or a special character is required.  Now, being cautious about security is one thing, but many of the V2.0 sites out there now are either test sites, personal or club starter kits or something fairly light.  Personally I like to loosen the requirements somewhat, or even loosen them a lot and allow the user to determine how complex they want their password. 

Fortunately there are a couple solutions and neither are too complex.  The first solution obviously is to enter a more complex password.  The second is to override the default complexity requirement and put in your own.

The provider that controls this is the membership provider.  This is set by default in the machine.config file on the server.  It can be changed at the machine.config file or overridden in the web.config file at the site level.

The two properties that control this are minRequiredPasswordLength and minRequiredNonalphanumericCharacters.  They aren't in machine.config by default in the Beta 2 timeframe.  I'm not sure if there are plans to change this or not.  To override it, simply add them to the <add name="AspNetSqlMembershipProvider" /> section.  The minRequiredPasswordLength property must be at least 1, while the minReqiredNonalphanumericCharacters property can be 0.  Here is an example of the two lines to add which removes the requirements completely and allows the user to decide on their password.  Don't hold me accountable if you open this too much, but I give this example as the other extreme of the default settings.
      minRequiredPasswordLength="1"
      minRequiredNonalphanumericCharacters="0"

Now, let's say we want to do this at the web.config level.  This is easy enough too.  The gotcha is that because it already exists at the machine.config level, there will be a clash between the two.  So, you must first "remove" the provider set at the machine level and add it back at the site level.  To remove the existing one, (I'm assuming default names) you use <remove name="AspNetSqlMembershipProvider"
/>

Here is an example of a complete web.config file that could be used.  If you have an existing web.config file that you want to work this into, take the section between and including <membership> and </membership>
and place it in your <system.web> section.

<?xml version="1.0"?>
<
configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"
>
  <
connectionStrings
>
   
<remove name="LocalSqlServer"
/>
    <
add name="LocalSqlServer" connectionString="Data Source=.\SQLExpress;Integrated Security=True;User Instance=True;AttachDBFilename=|DataDirectory|aspnetdb.mdf"
/>
  </
connectionStrings
>
  <
system.web
>
    <
membership
>
      <
providers
>
        <
remove name="AspNetSqlMembershipProvider"
/>
        <
add name="AspNetSqlMembershipProvider"
                  type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                  connectionStringName="LocalSqlServer"
                  enablePasswordRetrieval="false"
                  enablePasswordReset="true"
                  requiresQuestionAndAnswer="true"
                  applicationName="/"
                  requiresUniqueEmail="false"
                  minRequiredPasswordLength="1"
                  minRequiredNonalphanumericCharacters="0"
                  passwordFormat="Hashed"
                  maxInvalidPasswordAttempts="5"
                  passwordAttemptWindow="10"
                  passwordStrengthRegularExpression=""
/>
      </
providers
>
    </
membership
>
 
</system.web
>
</configuration
>

Of course anything in my example can be adjusted however you want as long as it is within an allowed range.  Take note especially of the connectionStringName which is referenced in the ConnectionString section of web.config and/or machine.config.  If you changed your connection string name, then make sure to update the reference to that connection string there.  Another thing to take note of is the connection string in this example.  That connection string will only work if Sql Server Express is installed on the server and "user instancing" is enabled.  At ORCS Web (www.orcsweb.com) for example, we disable user instancing because of security considerations, create a database when first setting up the site, and provide an alternative connection string which should be used instead. 

That's it.  Once you set this, you'll be able to have a password that isn't quite so complex.  This quick example only briefly covers other considerations like the connectionStringName, user instancing, type of database used and additional properties but I hope it gives enough information to lay the foundation of managing the password complexity within ASP.NET v2.0.

Posted: May 11 2005, 06:50 PM by OWScott | with 23 comment(s)
Filed under:

Comments

bernhard frank said:

that really helped!
Thanks.
# May 22, 2005 3:07 PM

Jonatan Pedersen said:

Thank you. This was exactly what i was looking for.
# May 30, 2005 6:27 PM

Albert said:

That's owesome. I am lucky to find the page. Thanks!
# June 3, 2005 11:23 AM

Steve said:

If i still want the passwords Encrypted in the Database, i can set passwordFormat="Encrypted", but it throws the error:

You must specify a non-autogenerated machine key to store passwords in the encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key


How do i do "change the machineKey configuration to use a non-autogenerated decryption key" ??
# June 8, 2005 12:19 PM

Mike Brady said:

This is an old post, but gosh it is helpful.  It is amazing how much trouble I had finding out how to do this!

Thanks!

# July 31, 2006 4:27 PM

Ryan Hirschey said:

I was wracking my brains on this, especially since MSDN's explanation wasn't entirely clear.  I was trying to set a default provider, then removing it and adding a new provider of the same name, which wouldn't authenticate.  This worked perfectly to configure my site.

# August 8, 2006 1:13 AM

Ali Seraj said:

Thx, really helped.

# August 15, 2006 3:47 AM

Stephan van Stekelenburg said:

Thanks!! this was exactly what I was looking for :)

# October 20, 2006 5:28 PM

vishnu said:

thanks!!.... really helpful...

but problem is that i dont want to lock user.... he can try with duplicate password many time.

pls mail me on vishnubobade@yahoo.com

thanks in advance.

vishnu

# November 23, 2006 3:00 AM

Haroon Malik said:

I'm glad I found this post.

# December 14, 2006 7:32 AM

fancyface_147@hotmail.com said:

i would like to change my password

# February 11, 2007 5:21 PM

azlan said:

is the following line is required to be paste in web.config?

Is it the same for all machine?

type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

# March 18, 2007 12:06 AM

yossi said:

Hi, first it was very helpful thank you.

i have question ,the site remember the user for 4 hour i guess its default but how can i chang it (i want that its will always remember you once you write the password..)

# April 1, 2007 4:43 AM

Daniel said:

Thanks, this really helped

# April 16, 2007 5:35 PM

nikoda said:

Brilliant. Thanks a lot!

# May 11, 2007 8:52 AM

stefski said:

Thanks a lot.  Worked a treat.  I'd read other similar posts which did not work.  The secret is in resetting the name first.

# May 23, 2007 7:12 AM

Girish said:

Hi,

I have to integrate 2 sites i.e their users and all the good stuff. Both the sites are on same DB server but different databases. So the best way for data synchronization is at Database level. So, when users are created on old site they should be created on new site automatically as well. If I use encrypted password in the app on the new site, how do I encrypt the passwords using stored procs while inserting new users from old site?

Short and sweet: How do encrypt the password at Database level (in stored procs) the same way as the app with passwordFormat="encrypted"?

Thanks,

Girish.

# May 29, 2007 5:38 AM

zhangtai said:

TOOOOOOOOOOOOOOOO GOOD!!!!

You're Champain!!!

# July 9, 2007 3:27 AM

dotmeatpack said:

Thanks for this article, I definitely needed this for the password stuff.

Also, for other problems regarding membership, check out this site:

stixbreakstonez.weebly.com/.../aspnet-membership.html

# January 20, 2011 11:07 PM

Tim Gale said:

Nice work, just what I needed.

# May 26, 2011 12:17 PM

vhanded said:

Thanks, this solved my problem.

# September 25, 2011 10:13 AM

Manesti said:

Thank you very much. wow, I have been cracking my brains

# March 7, 2012 5:03 PM

Mayuri said:

It really helps..thank you very much

# January 23, 2013 5:45 AM

John said:

I found a slight problem with this. The config file works perfectly, but unfortunately we are setting the password with a dumb rule. the setting above does not force the password to a very hard setup, I get that but there is no parameter for Minimum Alphanumeric characters. Even if you toughen it up to 7 characters long it could be set to $$$$$$$.

# April 28, 2013 11:17 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)