Enforce strong passwords

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

Ensure that your passwords are complex enough to prevent brute force or dictionary attacks against your user credential store.
When using Username and Password authentication with the ASP.NET membership provider, users are forced to use strong passwords by default. For example, the SqlMembershipProvider and the ActiveDirectoryMembership providers ensure that passwords are at least seven characters in length with at least one non-alphanumeric character. Ensure that your membership provider configuration enforces passwords of at least this strength.

To configure the precise password complexity rules enforced by your provider, you can set the following additional attributes:
  • passwordStrengthRegularExpression. The default is "".
  • minRequiredPasswordLength. The default is 7.
  • minRequiredNonalphanumericCharacters. The default is 1.
Note The default values shown here apply to the SqlMembershipProvider and the ActiveDirectoryMembershipProvider. The ActiveDirectoryMembershipProvider also verifies passwords against the default domain password policy.

Last edited Apr 16, 2008 at 10:41 PM by prashantbansode, version 1

Comments

No comments yet.