Lowering password strength with ASP.Net Authentication

In implementing authentication recently I found it troublesome to pinpoint how to modify this setting. So, here’s how.

In this example, I am using the AspNetSqlMembershipProvider over the Active Directory one. I haven’t changed the name from that, although you could.
This link explains how:

http://msdn.microsoft.com/en-us/library/ff648345.aspx

In your web.config’s system.web section you’ll need:

<membership>
      <providers>
        <remove name="AspNetSqlMembershipProvider" />
        <add name="AspNetSqlMembershipProvider"
                  type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                  connectionStringName="LocalSqlServer"
                  enablePasswordRetrieval="false"
                  enablePasswordReset="true"
                  requiresQuestionAndAnswer="true"
                  applicationName="/"
                  requiresUniqueEmail="false"
                  minRequiredPasswordLength="1"
                  minRequiredNonalphanumericCharacters="0"
                  passwordFormat="Hashed"
                  maxInvalidPasswordAttempts="5"
                  passwordAttemptWindow="10"
                  passwordStrengthRegularExpression="" />
      </providers>
    </membership>

Let’s talk about some pieces here.

<remove name="AspNetSqlMembershipProvider" />

could also be <clear/> 

Additionally, The Machine.config file contains a default SqlMembershipProvider instance named AspNetSqlMembershipProvider .  Which is why I’m replacing it with my web applications web.config setting.
This is explained in depth here: http://msdn.microsoft.com/en-us/library/ff648345.aspx

minRequiredPasswordLength sets the length (can be 1 to 128)
passwordStrengthRegularExpression sets the difficulty that the password will be validated against.
In my recent user testing, the defaults for these settings proved to be annoying and unnecessary.

Cheers.

Leave a comment


Name*

Email(will not be published)*

Website

Your comment*

Submit Comment

© Copyright Duke Hall - Designed by Pexeto