How can you test if an ASP.NET membership password will meet configured complexity requirements?

Question

I have a ASP.NET page which allows an administrator to change the password for a user. Since the administrator does not know the user's password, I am using the following:

MembershipUser member = Membership.GetUser(_usernameTextBox.Text);
member.ChangePassword(member.ResetPassword(), _passNewTextBox.Text);

-- as described by this SO question.

If the new password does not meet the complexity requirements which are configured in the web.config file, then the password will have been reset, but not changed to the desired one. If the new password does not meet complexity requirements, then the password should not change at all.

Is there an easy way to test the new password against the complexity requirements?

Answer 1

You can use the following properties to test the password against:

• Membership.PasswordStrengthRegularExpression
• Membership.MinRequiredPasswordLength
• Membership.MinRequiredNonAlphanumericCharacters

Note that the PasswordStrengthRegularExpression property will be an empty string if you have not configured it in the web.config file.

For info on regular expression matching, see the MSDN reference on Regex.IsMatch(String)

*Thanks to Matt for the helpful comments.

Answer 2

/// <summary>
/// Checks password complexity requirements for the actual membership provider
/// </summary>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(string password)
{
    return CheckPasswordComplexity(Membership.Provider, password);
}


/// <summary>
/// Checks password complexity requirements for the given membership provider
/// </summary>
/// <param name="membershipProvider">membership provider</param>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(MembershipProvider membershipProvider, string password)
{
    if (string.IsNullOrEmpty(password)) return false;
    if (password.Length < membershipProvider.MinRequiredPasswordLength) return false;
    int nonAlnumCount = 0;
    for (int i = 0; i < password.Length; i++)
    {
        if (!char.IsLetterOrDigit(password, i)) nonAlnumCount++;
    }
    if (nonAlnumCount < membershipProvider.MinRequiredNonAlphanumericCharacters) return false;
    if (!string.IsNullOrEmpty(membershipProvider.PasswordStrengthRegularExpression) &&
        !Regex.IsMatch(password, membershipProvider.PasswordStrengthRegularExpression))
    {
        return false;
    }
    return true;
}

Answer 3

I don't have access to the wiki.

One line should be adjusted to fix a small bug.

modify if (nonAlnumCount < Membership.MinRequiredNonAlphanumericCharacters) as follows if (nonAlnumCount < membershipProvider.MinRequiredNonAlphanumericCharacters)

Answer 4

Based on Bamba's solution, I decided to make an extension method on the membership provider (and reduced the code:

    public static bool IsPasswordValid(this MembershipProvider membershipProvider, string password)
    {
        return (!string.IsNullOrEmpty(password) && // Password is not empty or null AND
            password.Length >= membershipProvider.MinRequiredPasswordLength && // Meets required length AND
            password.Count(c => !char.IsLetterOrDigit(c)) >= membershipProvider.MinRequiredNonAlphanumericCharacters && // Contains enough non-alphanumeric characters AND
            (string.IsNullOrEmpty(membershipProvider.PasswordStrengthRegularExpression) || // Either there is no RegEx requirement OR
                Regex.IsMatch(password, membershipProvider.PasswordStrengthRegularExpression))); // It matches the RegEx
    }

To use it, you only have to call Membership.Provider.IsPasswordValid(...) wherever needed.

Answer 5

You can use a Regular Expression Validator to check if the password meets the complexity requirements.

Also you can use an Pasword Strength Meter control.

Answer 6

It may not be the easiest way, but use a regular expression validator on the page and make it match the password requirements. That way you don't even have to post back if the password isn't good.