Enforce strong passwords
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Ensure that your passwords are complex enough to prevent brute force or dictionary attacks against your user credential store.
When using Username and Password authentication with the ASP.NET membership provider, users are forced to use strong passwords by default. For example, the SqlMembershipProvider and the ActiveDirectoryMembership providers ensure that passwords are at least
seven characters in length with at least one non-alphanumeric character. Ensure that your membership provider configuration enforces passwords of at least this strength.
To configure the precise password complexity rules enforced by your provider, you can set the following additional attributes:
- passwordStrengthRegularExpression. The default is "".
- minRequiredPasswordLength. The default is 7.
- minRequiredNonalphanumericCharacters. The default is 1.
The default values shown here apply to the SqlMembershipProvider and the ActiveDirectoryMembershipProvider. The ActiveDirectoryMembershipProvider also verifies passwords against the default domain password policy.