ASP.NET Membership and passwordStrengthRegularExpression

by Sebastien Aube

Membership in the .NET framework 2.0 allows you to add security to your application with little to no code.

When trying to enforce strong password rules in our church software I encounteredan interesting problem.

At first I modified the web.config by adding the following line to our membershipprovider section.

passwordStrengthRegularExpression=“(?=.{8,})[a-z]+[^a-z]+|[^a-z]+[a-z]+”

RegEx explained: 8 characters or more in length, at least 1 lowercase letter,at least 1 character that is not a lower letter.

I removed:

minRequiredPasswordLength=“0”
minRequiredNonalphanumericCharacters=“1”

After some testing I found that even when following the password rules, a passwordchange would fail.

The ChangePassword control, which is part of the Login suite of controls, doesn’tgive you any information as to why the password changed failed.

After a few reviews of my RegEx and confirming that the syntax is correct in codeand with some useful online regular expression testers (see links below), I triedchanging the password using the following code:

MembershipUser mUser = Membership.GetUser(); //gets the current logged in user
//change the password
mUser.ChangePassword(mUser.GetPassword(), “invalidpassword”);

That caused the following exception: System.ArgumentException: Non alpha numeric charactersin ‘newPassword’ needs to be greater than or equal to ‘1’.

So I added this line:

minRequiredNonalphanumericCharacters=“0”

And our password complexity rule started working properly.

I won’t start a debate on the merit of setting the minimum required non alphanumericcharacters (say that ten times) to 1, but hopefully this will help someone somewheresome time.

Links:

JavaScript Regular Expression Tester
http://www.roblocher.com/technotes/regexp.aspx

.NET Regular Expression Tester
http://www.dotnetcoders.com/web/Learning/Regex/RegexTester.aspx