Return to
HomePage, ASPNET2SecurityFAQs
Question: How do I enforce strong passwords using membership in ASP.NET 2.0?
Answer:
You can enforce strong passwords using membership by configuring the attributes
minRequiredPasswordLength, minRequiredNonAlphanumericCharacters, and
passwordStrengthRegularExpression on your membership provider configuration.
Strong passwords help defend against brute force attacks and dictionary attacks.
The default password strength is set to a minimum password length of 7 characters with at least 1 non-alphanumeric character for both
SqlMembershipProvider and
ActiveDirectoryMembershipProvider. If you are using the
ActiveDirectoryMembershipProvider with Active Directory, your domain password policy is used by default, although you can further strengthen password policy by overriding this with your membership configuration by using the attributes listed earlier. Similarly, if you are using
ActiveDirectoryMembershipProvider with ADAM, your local password policy is used, although you can override this with your membership configuration.
If you need to configure your membership provider to enforce specific strong password rules, you can use regular expressions, or you can set specific max and min requirements for numeric, alhpabetic and alphanumeric characters.
Using regular expression
<membership ...>
<providers>
<add [passwordStrengthRegularExpression=]
"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" .../>
</providers>
</membership>
Using minimum length and non-alphanumeric character
<membership ...>
<providers>
<add [minRequiredPasswordLength=10] [minRequiredNonalphanumericCharacters=2] .../>
</providers>
</membership>
More Information
For more information on enforcing strong password, see "How To: Protect Forms Authentication in ASP.NET 2.0" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000012.asp
Return to
HomePage, ASPNET2SecurityFAQs