Security!

[Vai2000]

Hi All, I have a web app which uses form authentication. I have strict
requirements for password policies which very much similar to Windows
password policy. So I thought of invoking the same DLL which is used in
Windows OS for enforcing strong Password requirements. Is there a way I can
do it?
Not allowed to use LDAP/Windows Authentication etc...

TIA

 

[Alvin Bruney [MVP]]

the recommend approach is to use aspnet_setreg with password encryption for
1.1, for 2.0 most of the infrastructure is built in. Start here
http://support.microsoft.com/kb/329290/

--
________________________
Warm regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Professional VSTO.NET - Wrox/Wiley
The O.W.C. Black Book with .NET
www.lulu.com/owc, Amazon
Blog: http://www.msmvps.com/blogs/alvin

 

[Dave Sexton]

Hi,

Using a regular expression with a pattern that validates a strong password might be more appropriate.

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$

"Validates a strong password. It must be between 8 and 10 characters, contain at least one digit and one alphabetic character, and
must not contain special characters."

I got that regex from the following link on MSDN, which explains the basics of using a RegularExpressionValidator control:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000001.asp

Someone else wrote their own regex:
http://forums.asp.net/thread/1219361.aspx

They are using the Membership Provider in ASP.NET 2.0 and setting the PasswordStrengthRegularExpression property in their web.config
file, so their example is HTML encoded.

HTH

 

[Vai2000]

How about all the other misc stuff..

1. Password should be changed after 90 days
2. user prohibited from only changing /adding 1 character to their previous
passwords
3 Password reuse must be prohibited by not allowing the last 10 passwords to
be reused with a min. password age of atleast 2 days...
list just goes on......

Hi,

Using a regular expression with a pattern that validates a strong password might be more appropriate.

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$

"Validates a strong password. It must be between 8 and 10 characters,

contain at least one digit and one alphabetic character, and

must not contain special characters."

I got that regex from the following link on MSDN, which explains the

basics of using a RegularExpressionValidator control:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000001.asp

Someone else wrote their own regex:
http://forums.asp.net/thread/1219361.aspx

They are using the Membership Provider in ASP.NET 2.0 and setting the

PasswordStrengthRegularExpression property in their web.config

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

If you have such stringent requirements you would have to implement your own
provider.
In the same way you will have to store extra info in a DB , like previously
used password, last changed date, etc.


--
--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation

How about all the other misc stuff..

1. Password should be changed after 90 days
2. user prohibited from only changing /adding 1 character to their
previous
passwords
3 Password reuse must be prohibited by not allowing the last 10 passwords
to
be reused with a min. password age of atleast 2 days...
list just goes on......

Hi,

Using a regular expression with a pattern that validates a strong
password might be more appropriate.

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$

"Validates a strong password. It must be between 8 and 10 characters,

contain at least one digit and one alphabetic character, and

must not contain special characters."

I got that regex from the following link on MSDN, which explains the

basics of using a RegularExpressionValidator control:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000001.asp

Someone else wrote their own regex:
http://forums.asp.net/thread/1219361.aspx

They are using the Membership Provider in ASP.NET 2.0 and setting the

PasswordStrengthRegularExpression property in their web.config

 

[Dave Sexton]

Hi,

That depends on where and how you are storing the passwords. Anyway, how could the Windows API help you to enforce these rules if
your using Forms authentication? Your going to have to enforce these, and any other business rules in code.

--
Dave Sexton

How about all the other misc stuff..

1. Password should be changed after 90 days
2. user prohibited from only changing /adding 1 character to their previous
passwords
3 Password reuse must be prohibited by not allowing the last 10 passwords to
be reused with a min. password age of atleast 2 days...
list just goes on......

Hi,

Using a regular expression with a pattern that validates a strong password might be more appropriate.

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$

"Validates a strong password. It must be between 8 and 10 characters,

contain at least one digit and one alphabetic character, and

must not contain special characters."

I got that regex from the following link on MSDN, which explains the

basics of using a RegularExpressionValidator control:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000001.asp

Someone else wrote their own regex:
http://forums.asp.net/thread/1219361.aspx

They are using the Membership Provider in ASP.NET 2.0 and setting the

PasswordStrengthRegularExpression property in their web.config

 

[Paul E Collins]

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$
"Validates a strong password. It must be between 8 and 10
characters,
contain at least one digit and one alphabetic character, and must
not
contain special characters."

Surely a password with symbols in it is (all else being equal)
stronger than one that's purely alphanumeric?

Eq.

 

[Dave Sexton]

Agreed.

--
Dave Sexton

(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$
"Validates a strong password. It must be between 8 and 10 characters,
contain at least one digit and one alphabetic character, and must not
contain special characters."

Surely a password with symbols in it is (all else being equal) stronger than one that's purely alphanumeric?

Eq.