Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Anthony Candaele 1197 posts 2049 karma points
    Jan 29, 2012 @ 14:30
    Anthony Candaele
    0

    how to set password minimum length and password strength

    Hi,

    For my registrationpage I created a memberRegistration.ascx user control. This user control has a createuserwizard control and uses the Umbraco membership provider.

    My Umbraco membership provider looks like this:

    <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Jobseeker" umbracoApprovePropertyTypeAlias="isApproved" umbracoLockPropertyTypeAlias="isLocked" requiresUniqueEmail="true" passwordFormat="Hashed" />

    For the password security I would like to force users to enter passwords with a given password length, and passwords should be strong (one alphanumerical character).

    However there don't seem to be attributes on the Umbraco membership provider for password length and password strength.

    Is there a way to configure this for the Umbraco membership provider?

    Thanks for your help,

    Anthony

  • Jorge Lusar 150 posts 489 karma points
    Jan 29, 2012 @ 15:47
    Jorge Lusar
    2

    Hi Anthony,

    Have you tried setting the minRequiredPasswordLength attribute? example:

    <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" minRequiredPasswordLength="7" ... />
    
  • Lennart Stoop 304 posts 836 karma points
    Jan 29, 2012 @ 15:47
  • Anthony Candaele 1197 posts 2049 karma points
    Jan 29, 2012 @ 20:12
    Anthony Candaele
    0

    Hi Jorge, Lennart,

    I added the minRequiredPasswordLenght="7" attribute to the Umbraco Membership Provider:

    <add name="UmbracoMembershipProvider" 

            type="umbraco.providers.members.UmbracoMembershipProvider" 

            enablePasswordRetrieval="false" 

            enablePasswordReset="true" 

            requiresQuestionAndAnswer="false" 

            defaultMemberTypeAlias="Jobseeker" 

            umbracoApprovePropertyTypeAlias="isApproved" 

            umbracoLockPropertyTypeAlias="isLocked" 

            requiresUniqueEmail="true" 

            passwordFormat="Hashed"

            minRequiredPasswordLength="7" /> 

     But this doesn't seem to have any effect on the password validation. I can still register a member with a password that has less than 7 characters.

  • Lennart Stoop 304 posts 836 karma points
    Jan 29, 2012 @ 20:55
    Lennart Stoop
    2

    Hi Anthony,

    From what I can see in the source code the Umbraco membership provider defines the properties as mentioned above, but it does not apply them when creating a member or changing/resetting a password. I guess you could either update the provider (or create a work item on codeplex), or code the password policy into the wizard by hooking into one of its events: 

    http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.creatinguser.aspx

     

    Grtz

    L

  • Rodion Novoselov 694 posts 859 karma points
    Jan 30, 2012 @ 07:50
    Rodion Novoselov
    1

    I think the easiest way to get ignored properties into action is just to inherit the existent umbraco provider and override Create/Update methods so to add required validations.

  • Anthony Candaele 1197 posts 2049 karma points
    Jan 30, 2012 @ 09:14
    Anthony Candaele
    0

    HI Rodion,

    You mean inherit the umbraco provider in my user control?

    Thanks for the tip,

    Anthony

  • Anthony Candaele 1197 posts 2049 karma points
    Jan 30, 2012 @ 09:24
    Anthony Candaele
    0

    Hi Lennart,

    I will create a workitem on codeplex, as I think minRequiredPasswordLength and minRequiredNonAlphaNumericalCharacters should be baked into the Umbraco Membership Provider.

    Thanks for the advice,

    Anthony

  • Anthony Candaele 1197 posts 2049 karma points
    Jan 30, 2012 @ 09:31
    Anthony Candaele
    0

    @Lennart, I created the work item: http://umbraco.codeplex.com/workitem/30694

  • Rodion Novoselov 694 posts 859 karma points
    Jan 30, 2012 @ 10:21
    Rodion Novoselov
    0

    No, I meant to create your own membership provider inheriting from the UmbracoMembershipProvider and register it via web.config instead of the latter. (Actually I think it wouldn't take longer than half an hour).

    For instance:

    public class NiceUmbracoMembershipProvider : UmbracoMembershipProvider
    {
      public override MembershipUser CreateUser(
         string username,
         string password,
         string email,
         string passwordQuestion,
         string passwordAnswer,
         bool isApproved,
         object providerUserKey,
         out MembershipCreateStatus status)
      {
          if(password.Length < m_MinRequiredPasswordLength)
          {
            status = MembershipCreateStatus.InvalidPassword;
            return null;
          }
          return base.CreateUser(username, password, email,
                                 passwordQuestion, passwordAnswer,
                                 isApproved, providerUserKey,
                                 out status);
      }
    }

    You can override the "UpdateUser" method in a similar way and add any additional validations that you could need.

    Than you will need just to register this provider as the default one in your web.config and that's it.

  • Rodion Novoselov 694 posts 859 karma points
    Jan 30, 2012 @ 10:25
    Rodion Novoselov
    0

    Also, if you use some tool like the RedGate .NET Reflector then you can investigate the code of e.g. Asp.Net SqlMembershipProvideras as a reference implementation.

  • Jeroen Breuer 4861 posts 12132 karma points MVP 3x admin c-trib
    Jan 30, 2012 @ 10:31
    Jeroen Breuer
    0

    I created an old issue and I don't know if it's stil valid, but it might be good to look at it before creating you own MembershipProvider: http://umbraco.codeplex.com/workitem/25855

    Jeroen

  • Tim 1193 posts 2655 karma points c-trib
    Jan 30, 2012 @ 10:46
    Tim
    2

    If you want a quick way of doing it, you can do it by adding a RegExp validator to your register user control. The following RegEx wioll ensure that a password is between 8 - 29 characters long, and contains a mix of upper, lower and numeric characters: ^.*(?=.{7,30})(?=.*[\d])(?=.*[a-z])(?=.*[A-Z]).*$

     

  • Anthony Candaele 1197 posts 2049 karma points
    Jan 30, 2012 @ 12:26
    Anthony Candaele
    0

    @Rodion thanks for the advice, but I think I'm to far now in development of my registration page to rewrite the member logic.

    @Tim Thanks I think this can solve my issue in a fast manner. The only thing I'm struggling with is that my CreateUserWizard doesn't seem to stop registering a user when validation fails:

    <asp:CreateUserWizardStep ID="cuwStep2" Title="Step 2/2" runat="server">

                        <ContentTemplate>

                        <p><strong>Step 2/2</strong>: Enter your account information</p>

                            <table class="registrationtable">

                                <tr>

                                    <td>Email:</td>

                                    <td><asp:TextBox ID="Username" runat="server"></asp:TextBox><asp:TextBox ID="Email" runat="server" Visible="false"></asp:TextBox></td>

                                    <td><asp:RequiredFieldValidator ID="reqUserName" runat="server" 

                                    ToolTip="Username is a required field" 

                                    ErrorMessage="Email is a required field" 

                                    ControlToValidate="Username" 

                                    ValidationGroup="cwMember" 

                                    Text="*" />

                                    <asp:RegularExpressionValidator ID="regEmail" ControlToValidate="UserName" 

                                    Text="*" 

                                    ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" 

                                    Runat="server" 

                                    ValidationGroup="cwMember" /></td>

                                </tr>

                                <tr>

                                    <td>Password:</td>

                                    <td><asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox></td>

                                    <td><asp:RequiredFieldValidator 

                                    ID="reqPassword" 

                                    runat="server" 

                                    ControlToValidate="Password" 

                                    ValidationGroup="cwMember" 

                                    Text="*" 

                                    ErrorMessage="Password is a required field" />                               

                                    </td>

                                </tr>

                                <tr>

                                    <td>Confirm Password:</td>

                                    <td><asp:TextBox ID="txtConfirmPassword" runat="server" TextMode="Password"></asp:TextBox></td>

                                    <td><asp:RequiredFieldValidator

                                     ID="reqConfirmPassword"

                                     runat="server"

                                     Display="Dynamic" 

                                     ControlToValidate="txtConfirmPassword" 

                                     ValidationGroup="cwMember" 

                                     Text="Confirm password" />

                                     <asp:CompareValidator ID="cmpPassword" 

                                     runat="server"

                                     Display="Dynamic" 

                                     ControlToValidate="Password" 

                                     ControlToCompare="txtConfirmPassword"                                  

                                     Text="*"

                                     ErrorMessage="Passwords are not equal" />

                                    </td>

                                </tr>

                            </table>               

                            <asp:PlaceHolder ID="phValidationSummary" runat="server"></asp:PlaceHolder>

                            <asp:ValidationSummary 

                            ID="vsSummary" 

                            runat="server" 

                            ValidationGroup="cwMember" 

                            DisplayMode="BulletList" 

                            HeaderText="Correct the following:" />                                                

                        </ContentTemplate>                                                        

                    </asp:CreateUserWizardStep>                                            

                    <asp:CompleteWizardStep ID="cuwStep3" runat="server">

                        <ContentTemplate>

                            <p>User should now be created, but not approved...</p>

                            <asp:HyperLink ID="hlAuth" runat="server"></asp:HyperLink>

                        </ContentTemplate>

                    </asp:CompleteWizardStep>

                </WizardSteps>

            </asp:CreateUserWizard>

     

    I use a CreateUserError event handler to handle validation errors in the createuserwizardstep:

    protected void cwMember_CreateUserError(object sender, CreateUserErrorEventArgs e)

            {

                StringBuilder sb = new StringBuilder();

                CreateUserWizard cuw = (CreateUserWizard)sender;

                switch (e.CreateUserError)

                {

                    case MembershipCreateStatus.DuplicateEmail:

                        sb.Append(cuw.DuplicateEmailErrorMessage.ToString());

                        break;

                    case MembershipCreateStatus.DuplicateUserName:

                        sb.Append("this email address is already registered, please use another email address");

                        break;                

                    case MembershipCreateStatus.InvalidEmail:

                        sb.Append(cuw.InvalidEmailErrorMessage.ToString());

                        break;

                    case MembershipCreateStatus.InvalidPassword:

                        sb.Append(cuw.InvalidPasswordErrorMessage.ToString());

                        break;                

                    case MembershipCreateStatus.InvalidUserName:

                        sb.Append("username is not valid");

                        break;                

                    case MembershipCreateStatus.UserRejected:

                        sb.Append("administrator said 'no way'");

                        break;

                    default:

                        break;

                }

                CreateUserWizardStep cuwStep2 = cuw.FindControl("cuwStep2") as CreateUserWizardStep;

                PlaceHolder phValidationSummary = (PlaceHolder)cuwStep2.ContentTemplateContainer.FindControl("phValidationSummary");

                CustomValidator cvError = new CustomValidator();

                cvError.ValidationGroup = "cwMember";

                cvError.ErrorMessage = sb.ToString();

                cvError.IsValid = false;

                phValidationSummary.Controls.Add(cvError);

     

            }

    But for some reason only validation that that is catched in the CreateUserError event is handled. I only posted this issue on StackOverFlow.com: 

    http://stackoverflow.com/questions/9052563/how-to-stop-creatuserwizard-control-creating-user-when-passwords-are-not-equal

    Thanks for your advice,

    Anthony

  • Tim 1193 posts 2655 karma points c-trib
    Jan 30, 2012 @ 12:45
    Tim
    1

    @Anthony, it looks like your compare validator for the password is not a member of the "cwMember" validator group like the rest of the validators. If you add that to the group, does it work?

  • Anthony Candaele 1197 posts 2049 karma points
    Jan 30, 2012 @ 12:58
    Anthony Candaele
    0

    Hi Tim, I set the validator group to 'cwMember' and now the compare validation fires.

    The Regular Expression Validator works also fine.

    Thanks a lot, this greatly increases the security of my registration page

    greetings,

    Anthony

  • Seann Hicks 1 post 71 karma points
    May 14, 2020 @ 01:32
    Seann Hicks
    0

    I managed to add policy complexity rules to Umbraco accounts by adding the minRequiredPasswordLength and minRequiredNonalphanumericCharacters attributes to the UsersMembershipProvider and not the UmbracoMembershipProvider. A comment in the code indicates that the UmbracoMembershipProvider is not used for CMS accounts. This is on version 7.7.2.

     <providers>
        <clear />
        <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="2" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" />
        <add name="UsersMembershipProvider" type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco"  minRequiredPasswordLength="14" minRequiredNonalphanumericCharacters="1" />
      </providers>
    
Please Sign in or register to post replies

Write your reply to:

Draft