How to you test if an ASP.NET membership password will meet configured complexity requirements

asp.netmembershipSecurity

I have a ASP.NET page which allows an administrator to change the password for a user. Since the administrator does not know the user's password, I am using the following:

MembershipUser member = Membership.GetUser(_usernameTextBox.Text);
member.ChangePassword(member.ResetPassword(), _passNewTextBox.Text);

— as described by this SO question.

If the new password does not meet the complexity requirements which are configured in the web.config file, then the password will have been reset, but not changed to the desired one. If the new password does not meet complexity requirements, then the password should not change at all.

Is there an easy way to test the new password against the complexity requirements?

Best Answer

/// <summary>
/// Checks password complexity requirements for the actual membership provider
/// </summary>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(string password)
{
    return CheckPasswordComplexity(Membership.Provider, password);
}


/// <summary>
/// Checks password complexity requirements for the given membership provider
/// </summary>
/// <param name="membershipProvider">membership provider</param>
/// <param name="password">password to check</param>
/// <returns>true if the password meets the req. complexity</returns>
static public bool CheckPasswordComplexity(MembershipProvider membershipProvider, string password)
{
    if (string.IsNullOrEmpty(password)) return false;
    if (password.Length < membershipProvider.MinRequiredPasswordLength) return false;
    int nonAlnumCount = 0;
    for (int i = 0; i < password.Length; i++)
    {
        if (!char.IsLetterOrDigit(password, i)) nonAlnumCount++;
    }
    if (nonAlnumCount < membershipProvider.MinRequiredNonAlphanumericCharacters) return false;
    if (!string.IsNullOrEmpty(membershipProvider.PasswordStrengthRegularExpression) &&
        !Regex.IsMatch(password, membershipProvider.PasswordStrengthRegularExpression))
    {
        return false;
    }
    return true;
}

For MVC v5.1 use Html.EnumDropDownListFor

@Html.EnumDropDownListFor(
    x => x.YourEnumField,
    "Select My Type", 
    new { @class = "form-control" })

For MVC v5 use EnumHelper

@Html.DropDownList("MyType", 
   EnumHelper.GetSelectList(typeof(MyType)) , 
   "Select My Type", 
   new { @class = "form-control" })

For MVC 5 and lower

I rolled Rune's answer into an extension method:

namespace MyApp.Common
{
    public static class MyExtensions{
        public static SelectList ToSelectList<TEnum>(this TEnum enumObj)
            where TEnum : struct, IComparable, IFormattable, IConvertible
        {
            var values = from TEnum e in Enum.GetValues(typeof(TEnum))
                select new { Id = e, Name = e.ToString() };
            return new SelectList(values, "Id", "Name", enumObj);
        }
    }
}

This allows you to write:

ViewData["taskStatus"] = task.Status.ToSelectList();

by using MyApp.Common

How to implement a password recovery link in ASP.NET

That would be how I would handle it. But don't forget to remove the row from the database when you are done and implement some sort of flood control. I know there are tons (literally) of combinations for guids but running a simple IP check vs how many attempts in the last 5 minutes and blocking them after x number of attempts could help increase the security of the reset. This would become more important the larger your userbase is and how often they forget their passwords.

Best Answer

Related Solutions

C# – How to create a dropdownlist from an enum in ASP.NET MVC

For MVC v5.1 use Html.EnumDropDownListFor

For MVC v5 use EnumHelper

For MVC 5 and lower

How to implement a password recovery link in ASP.NET

Related Topic