tags:

views:

61

answers:

2
Q: 

how to set maximum password length in web.config file?

I had set minRequiredPasswordLength,minRequiredNonalphanumericCharacters in membership section of web.config file. but i need maximum password length also to set. how to set in web.config file?

A: 

I think that the default implementations of MembershipProvider does not support this feature. However, you could obtain the same results by validating the password length when the users set/change it.

Edit related to PasswordRecovery control

If you are using a standard implementation of the MembershipProvider class with the PasswordRecovery control you are unable to interfere with the generation of the new password (more precisely ResetPassword - "Resets a user's password to a new, automatically generated password"). If you want to use the PasswordRecovery control I see no other option than creating a custom membership provider deriving from the abstract MembershipProvider class or from one of its concrete implementation (like SqlMembershipProvider);

The other option would be to implement your custom password recovery interface as you could still rely on functionality implemented in your MembershipProvider. When the user wants to reset his password you could use GetUser method to obtain the related information, then ResetPassword to obtain a new password. In this moment you may use the password that ResetPassword returns and call ChangePassword to set a new password that meets your criteria, than email it to the user. There are many ways to implement the corresponding user interface, but the reset password logic would be almost the same.

Also in case you decide that keeping the passwords encrypted instead of hashed meets your requirements, your problem will be solved as users will receive through email their old passwords (that meet the maximum length condition from the moment they were set). For this make the following changes in web.config:

      Passwordformat="encrypted"
      Passwordreset="true"
      Passwordretriaval="true"
andrei m  2010-10-23 07:18:57
i m using passwordrecovery control which resets and sends password to the respective user automatically. the password received by the users follows the minimum length but not for the maximum. In this case where can i validate the password length?
Abilash  2010-10-23 10:08:06
A: 

You must use ValidatingPassword event. Here you can check maximum length, etc. More info available at: http://forums.asp.net/t/946218.aspx

afsharm  2010-10-23 08:07:53

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision