12.9. Enforcing Custom Password Strength Rules
By default, SqlMembershipProvider enforces password strength using a combination of the minRequiredPasswordLength, minRequiredNonalphanumericCharacters, and passwordStrengthRegularExpression provider configuration attributes. The default provider configuration in machine.config causes the provider to require at least seven characters in the password with at least one of these being a nonalphanumeric character. There is no default password strength regular expression defined in machine.config.
If you choose to define a regular expression, the provider enforces all three password constraints: minimum length, minimum number of nonalphanumeric characters, and matching the password against the configured regular expression. If you want the regular expression to be the exclusive determinant of password strength, you can set the minRequiredPasswordLength attribute to one and the minRequiredNonalphanumericCharacters to zero. Although the provider still enforces password strength with these requirements, your regular expression will expect that passwords have at least one character in them—so effectively only your regular expression will really be enforcing any kind of substantive rules.
You can see that just with the provider configuration attributes you can actually enforce a pretty robust password. However, for security-conscious organizations password strength alone isn't sufficient. The classic problem of course is with users and customers ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.