Enforce Strong Passwords

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Ensure that your passwords are complex enough to protect against brute force or dictionary attacks against your user credential store.

When using Username authentication with the ASP.NET membership provider, users are forced to use strong passwords by default. For example, the SqlMembershipProvider and the ActiveDirectoryMembership providers ensure that passwords are at least seven characters in length with at least one non-alphanumeric character. Ensure that your membership provider configuration enforces passwords of at least this strength.

To configure the precise password complexity rules enforced by your provider, you can set the following additional attributes:
  • passwordStrengthRegularExpression. The default is "".
  • minRequiredPasswordLength. The default is 7.
  • minRequiredNonalphanumericCharacters. The default is 1.

Note: The default values shown here apply to the SqlMembershipProvider and the ActiveDirectoryMembershipProvider. The ActiveDirectoryMembershipProvider also verifies passwords against the default domain password policy.

Last edited Jun 12, 2008 at 8:48 PM by prashantbansode, version 1


No comments yet.