Security requirements for account login credentials can vary among different .NET projects. In some cases we have specific requirements for minimum required password length, password strength and the format the password will be stored in the database. These requirements can be easily changed through web.config’s membership > provider area.
The Default Password Setting
By default the requirement for password may look like 7 characters in length, 1 Non-alphanumeric character and be stored in hashed format.
How to change password requirements
Open web config file from your .NET project and locate the <system.web> line. Right after <system.web>, put this code:
Do remember to make sure that the above code is not already present in your web config.
Customizing the code
Depending on the security requirements of your application customize the above code as follows:
connectionStringName=”string” this is the name corresponding to the entry in <connectionStrings> section where the connection string for the provider is specified
maxInvalidPasswordAttempts=”int” This is the number of failed password attempts, or failed password answer attempts that are allowed before locking out
the user’s account
passwordAttemptWindow=”int” This is the time window
(in minutes), during which failed password attempts and failed password answer attempts are tracked
This indicates whether the login system is configured to allow users to
retrieve their account passwords (through forgot pasword module). If
enablePasswordRetrieval is set to false, users won’t be able to
receive their password from the database.
If you set enablePasswordRetrieval to true, you must set
passwordFormat to “Encrypted or Clear“. If the PasswordFormat
property is set to Hashed, a user will not be able to retrieve his or her
existing password from the database. The Hashed password format provides one-way
encoding of password values. Passwords are hashed with a randomly generated salt
value and compared to values stored in the database for authentication. Hashed
values cannot be unencoded to retrieve the original password value. This is
because the Hashed password format provides one-way encoding of password values
and hence password retrieval will not be possible.
enablePasswordReset=”[true|false]” Should the provider support password resets
requiresQuestionAndAnswer=”[true|false]” Should the provider require Q & A
minRequiredPasswordLength=”int” The minimum password length
minRequiredNonalphanumericCharacters=”int” The minimum number of non-alphanumeric characters
applicationName=”string” Optional string to identity the application: defaults to Application Metabase path
requiresUniqueEmail=”[true|false]” Should the provider require a unique email to be specified
passwordFormat=”[Clear|Hashed|Encrypted]” Storage format for the password: Hashed (SHA1), Clear or Encrypted (Triple-DES). Hashing is a one way encryption and hashed passwords cannot be recovered. Encrypted passwords are stored in encrypted format but are recoverable.