Password Policy in ASP.NET Profile (Membership)

Question

In change password page, we have this code, So if we want to change Password Policy into "StrongPolicy", have we a way or is it by default?

Also can we change it to weak policy ?

I read MSDN but couldn't find it.

Membership mu ; 
mu=Membership.GetUser(txtUserName.Text); 

mu.UnlockUser();
var newPass= mu.ResetPassword();
mu.ChangePassword(newPass,TxtPassword.Text);

Answer 1

By default the memebership provider in .net restricts you to have password of length 7(atleast) and of which one character must be alpha-numeric.

Although there many ways by which you can change that. You can check Changing password policy setting in membership provider.

Using minimum length and non-alphanumeric character

<membership ...>
  <providers>
    <add minRequiredPasswordLength=10 minRequiredNonalphanumericCharacters=2 .../>
  </providers>
 </membership>

Using regular expression

<membership ...>
  <providers>
    <add passwordStrengthRegularExpression= 
                    "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" .../>
  </providers>
 </membership>

The above code is from the same site.

Answer 2

If you are using MVC 5 (possibly MVC4, havent checked).

Theres a nice easy way of changing this without changing the config. In your solution explorer, go to

'App_Start' > IdentityConfig

Here you will see a passwordvalidator, changing these settings will allow you to alter the complexity of passwords required for your site:

manager.PasswordValidator = new PasswordValidator { RequiredLength = 6, RequireNonLetterOrDigit = true, RequireDigit = true, RequireLowercase = true, RequireUppercase = true, };

Answer 3

By default ASP.NET Membership enforces strong passwords. If you want to make it weaker, by changing the configuration settings in Web.config

<membership>
    <providers>
      <add passwordStrengthRegularExpression= "" .../>
      <add minRequiredPasswordLength=... minRequiredNonalphanumericCharacters=2 .../>
    </providers>  
</membership>

MSDN

By default, the ASP.NET membership providers enforce strong passwords. For example, the SqlMembershipProvider and the ActiveDirectoryMembership providers ensure that passwords are at least seven characters in length with at least one non-alphanumeric character. Ensure that your membership provider configuration enforces passwords of at least this strength. To configure the precise password complexity rules enforced by your provider, you can set the following additional attributes:

More information : http://msdn.microsoft.com/en-us/library/ff649487.aspx