How can you test if an ASP.NET membership password will meet configured complexity requirements?
Asked Answered
T

6

20

I have a ASP.NET page which allows an administrator to change the password for a user. Since the administrator does not know the user's password, I am using the following:

MembershipUser member = Membership.GetUser(_usernameTextBox.Text);
member.ChangePassword(member.ResetPassword(), _passNewTextBox.Text);

-- as described by this SO question.

If the new password does not meet the complexity requirements which are configured in the web.config file, then the password will have been reset, but not changed to the desired one. If the new password does not meet complexity requirements, then the password should not change at all.

Is there an easy way to test the new password against the complexity requirements?

Trovillion answered 17/12, 2008 at 18:23 Comment(0)
M
18

You can use the following properties to test the password against:

Note that the PasswordStrengthRegularExpression property will be an empty string if you have not configured it in the web.config file.

For info on regular expression matching, see the MSDN reference on Regex.IsMatch(String)

*Thanks to Matt for the helpful comments.

Molina answered 17/12, 2008 at 18:28 Comment(1)
It looks like Membership.PasswordStrengthRegularExpression is "" if it is not configured in web.config. MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters may still be configured.Trovillion
A
19
/// <summary>
/// Checks password complexity requirements for the actual membership provider
/// </summary>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(string password)
{
    return CheckPasswordComplexity(Membership.Provider, password);
}


/// <summary>
/// Checks password complexity requirements for the given membership provider
/// </summary>
/// <param name="membershipProvider">membership provider</param>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(MembershipProvider membershipProvider, string password)
{
    if (string.IsNullOrEmpty(password)) return false;
    if (password.Length < membershipProvider.MinRequiredPasswordLength) return false;
    int nonAlnumCount = 0;
    for (int i = 0; i < password.Length; i++)
    {
        if (!char.IsLetterOrDigit(password, i)) nonAlnumCount++;
    }
    if (nonAlnumCount < membershipProvider.MinRequiredNonAlphanumericCharacters) return false;
    if (!string.IsNullOrEmpty(membershipProvider.PasswordStrengthRegularExpression) &&
        !Regex.IsMatch(password, membershipProvider.PasswordStrengthRegularExpression))
    {
        return false;
    }
    return true;
}
Alejandrinaalejandro answered 17/12, 2008 at 18:23 Comment(3)
Why not make it a MembershipProvider extension method and use it like Membership.CheckPasswordComplexity(...)?Cookie
@PhilDulac, because Membership refers to a different type of System.Web.Security.Membership, a static class which you can't add extension methods to.Supercharger
@Supercharger I made a typo, I meant to add an extension method to MembershipProvider. usage would have been Membership.Provider.CheckPasswordComplexity(...)Cookie
M
18

You can use the following properties to test the password against:

Note that the PasswordStrengthRegularExpression property will be an empty string if you have not configured it in the web.config file.

For info on regular expression matching, see the MSDN reference on Regex.IsMatch(String)

*Thanks to Matt for the helpful comments.

Molina answered 17/12, 2008 at 18:28 Comment(1)
It looks like Membership.PasswordStrengthRegularExpression is "" if it is not configured in web.config. MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters may still be configured.Trovillion
D
3

I don't have access to the wiki.

One line should be adjusted to fix a small bug.

modify if (nonAlnumCount < Membership.MinRequiredNonAlphanumericCharacters) as follows if (nonAlnumCount < membershipProvider.MinRequiredNonAlphanumericCharacters)

Dahle answered 8/1, 2010 at 22:2 Comment(0)
C
3

Based on Bamba's solution, I decided to make an extension method on the membership provider (and reduced the code:

    public static bool IsPasswordValid(this MembershipProvider membershipProvider, string password)
    {
        return (!string.IsNullOrEmpty(password) && // Password is not empty or null AND
            password.Length >= membershipProvider.MinRequiredPasswordLength && // Meets required length AND
            password.Count(c => !char.IsLetterOrDigit(c)) >= membershipProvider.MinRequiredNonAlphanumericCharacters && // Contains enough non-alphanumeric characters AND
            (string.IsNullOrEmpty(membershipProvider.PasswordStrengthRegularExpression) || // Either there is no RegEx requirement OR
                Regex.IsMatch(password, membershipProvider.PasswordStrengthRegularExpression))); // It matches the RegEx
    }

To use it, you only have to call Membership.Provider.IsPasswordValid(...) wherever needed.

Cookie answered 2/10, 2013 at 16:59 Comment(0)
D
0

You can use a Regular Expression Validator to check if the password meets the complexity requirements.

Also you can use an Pasword Strength Meter control.

Dominations answered 17/12, 2008 at 18:26 Comment(0)
H
0

It may not be the easiest way, but use a regular expression validator on the page and make it match the password requirements. That way you don't even have to post back if the password isn't good.

Harbor answered 17/12, 2008 at 18:27 Comment(1)
If you decide to use this approach, make sure to get the password complexity RegEx on the server side from the provider so you don't have to define it at 2 different places. Only thing is you won't be able to validate everything the membership provider defines with only one validator.Cookie

© 2022 - 2024 — McMap. All rights reserved.