This project is read-only.

Enforcing Strong Password Policy

Topics: User Forum
Jun 25, 2009 at 11:22 AM

Hi,

I am creating a website with mwpsk, and would like to make sure that all users have passwords with a minimum length and containing special characters. I found the following section in the web.config file, and tried changing the values for 'minRequiredPasswordLength' and 'minRequiredNonAlphanumericCharacters', but afterwards I could still enter weak passwords like 'test'.

<membership defaultProvider="CustomXmlMembershipProvider">
    <providers>
        <clear/>
        <add name="CustomXmlMembershipProvider" type="MyWebPagesStarterKit.Providers.CustomXmlMembershipProvider" maxInvalidPasswordAttempts="3" passwordAttemptWindow="5" minRequiredNonAlphanumericCharacters="0" minRequiredPasswordLength="3" passwordStrengthRegularExpression="" enablePasswordReset="true" enablePasswordRetrieval="true" requiresQuestionAndAnswer="True" requiresUniqueEmail="true"/>
    </providers>
</membership>

I then returned to the default values, and tried changing the password of a user to 'a', which is obviously shorter than 3 characters. This change worked, and I could log in using this single-character password. Surely I shouldn't be able to do this? How can I prevent my users from using weak passwords?

I am using the 1.2.2 production release.

Thankyou for your help,

Phil Tait