Ardent Dev - ASP.NET Membership and passwordStrengthRegularExpression

Tuesday, March 21, 2006

ASP.NET Membership and passwordStrengthRegularExpression

Membership in the .NET framework 2.0 allows you to add security to your application with little to no code.

When trying to enforce strong password rules in our church software I encountered an interesting problem.

At first I modified the web.config by adding the following line to our membership provider section.

passwordStrengthRegularExpression="(?=.{8,})[a-z]+[^a-z]+|[^a-z]+[a-z]+"

RegEx explained: 8 characters or more in length, at least 1 lowercase letter, at least 1 character that is not a lower letter.

I removed:

minRequiredPasswordLength="0"
minRequiredNonalphanumericCharacters="1"

After some testing I found that even when following the password rules, a password change would fail.

The ChangePassword control, which is part of the Login suite of controls, doesn’t give you any information as to why the password changed failed.

After a few reviews of my RegEx and confirming that the syntax is correct in code and with some useful online regular expression testers (see links below), I tried changing the password using the following code:

MembershipUser mUser = Membership.GetUser(); // gets the current logged in user 
//change the password 
mUser.ChangePassword(mUser.GetPassword(), “invalidpassword”);

That caused the following exception: System.ArgumentException: Non alpha numeric characters in 'newPassword' needs to be greater than or equal to '1'.

So I added this line:

minRequiredNonalphanumericCharacters="0"

And our password complexity rule started working properly.

I won’t start a debate on the merit of setting the minimum required non alphanumeric characters (say that ten times) to 1, but hopefully this will help someone somewhere some time.

Links:

JavaScript Regular Expression Tester
http://www.roblocher.com/technotes/regexp.aspx

.NET Regular Expression Tester
http://www.dotnetcoders.com/web/Learning/Regex/RegexTester.aspx

Posted by Sebastien Aube 3/21/2006 4:28:48 PM (Atlantic Standard Time, UTC-04:00)

Disclaimer | Comments [8] |

3/22/2006 11:54:49 AM (Atlantic Standard Time, UTC-04:00)

Is your product coded in C# then I assume? Or VB.NET?

Mike Dawson

3/22/2006 12:12:01 PM (Atlantic Standard Time, UTC-04:00)

Our language of choice for churchradius.com is C# (.NET 2005) as well as a SQL SERVER 2005 database.

Sebastien Aube |sebastienAT NOSPAMardentdev dot com

3/22/2006 12:13:02 PM (Atlantic Standard Time, UTC-04:00)

Well, the core app is in C#. Some supporting apps and the public web site (http://www.churchradius.com/) use Visual Basic.

Derek Hatchard |derekAT NOSPAMardentdev dot com

3/22/2006 12:30:18 PM (Atlantic Standard Time, UTC-04:00)

Thanks for the info. If you don't mind me asking, what was your reasoning for choosing C# for the "core". I noticed you guys authored a VB book so I was expecting it to be written in VB to be honest that's all.

Mike Dawson

3/22/2006 12:40:14 PM (Atlantic Standard Time, UTC-04:00)

Our team had just come off an 18-month C# project for a client so it was natural to keep on truckin' in C#. There were no technical or "religious" reasons. I love VB. In many ways it is a better language than C# (before the flames start: C# has its own set of merits over VB as well). We like to mix it up - some C# here, some VB there. IMO, the real technical decision is in deciding to use ASP.NET 2.0, not whether to code in C# or VB.

Derek Hatchard |derekAT NOSPAMardentdev dot com

3/22/2006 1:18:03 PM (Atlantic Standard Time, UTC-04:00)

Sounds reasonable. I use C# a little here and there when I can or need to, but VB is still my preference. But once you get used to the "other" language whether it be VB or C#, it becomes natural feeling and switching back feels cumbersome at first. So, I can see why after 18-months of C# you kept with it.

I was just curious if the choice of language for the "core" had to do with external market (customer) perceptions of C# being more "professional". An unwarranted perception in my opinion, but nonetheless one that sometimes seems to exist unfortunately.

Mike Dawson

3/23/2006 5:38:53 PM (Atlantic Standard Time, UTC-04:00)

I am of the belief that is a value can be 0 or more the default should be 0 if not specified, using 1 as the default seems like it holding our hands a little to much.

As for C# vs VB, I prefer C# cause I come from C/Java world. Inline anonymous methods are the thing I miss the most when working in VB, with out them I find myself getting irratated doing Generic List sorts and finds. I also Hate Date being a keyword in VB cause i like to use it as a varible name for a DateTime on certain objects when matching them to my DB schema which uses Date. Of course dynamically resizing arrays in VB can be nice when it is really needed.

Just threw an error trying ot send this cause I was using a C# style generic list declaration wchich i guess it thinks it might be a html tag.

Chris |chris dot whittickAT NOSPAMgmail dot com

6/1/2007 4:35:25 PM (Atlantic Standard Time, UTC-04:00)

What is the most important information I should know about levitra? You can buy cheap levitra at my homepage :)

Levitra |remove dot urlAT NOSPAMgmail dot com

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):