Membership in the .NET framework 2.0 allows you to add security to your application with little to no code.
When trying to enforce strong password rules in our church software I encounteredan interesting problem.
At first I modified the web.config by adding the following line to our membershipprovider section.
passwordStrengthRegularExpression=“(?=.{8,})[a-z]+[^a-z]+|[^a-z]+[a-z]+”
RegEx explained: 8 characters or more in length, at least 1 lowercase letter,at least 1 character that is not a lower letter.
I removed:
minRequiredPasswordLength=“0”
minRequiredNonalphanumericCharacters=“1”
After some testing I found that even when following the password rules, a passwordchange would fail.
The ChangePassword control, which is part of the Login suite of controls, doesn’tgive you any information as to why the password changed failed.
After a few reviews of my RegEx and confirming that the syntax is correct in codeand with some useful online regular expression testers (see links below), I triedchanging the password using the following code:
MembershipUser mUser = Membership.GetUser(); //gets the current logged in user
//change the password
mUser.ChangePassword(mUser.GetPassword(), “invalidpassword”);
That caused the following exception: System.ArgumentException: Non alpha numeric charactersin ‘newPassword’ needs to be greater than or equal to ‘1’.
So I added this line:
minRequiredNonalphanumericCharacters=“0”
And our password complexity rule started working properly.
I won’t start a debate on the merit of setting the minimum required non alphanumericcharacters (say that ten times) to 1, but hopefully this will help someone somewheresome time.
Links:
JavaScript Regular Expression Tester
http://www.roblocher.com/technotes/regexp.aspx
.NET Regular Expression Tester
http://www.dotnetcoders.com/web/Learning/Regex/RegexTester.aspx