Set Password Requirements in .NET 5 & Core 3.1 Identity

Published on

Setting custom password requirement rules in ASP.NET 5 & Core Identitty is an extremely easy affair. Everything is configured in one place and it usually requires less than 10 lines of simple code.

Setting a custom validator

If you've created a new ASP.NET Core solution with Identity enabled then Inside your startup.cs file you'll have a method called ConfigureServices. We use ConfigureServices to specify how services should be configured at runtime.

Inside ConfigureServices you'll add a configuration for IdentityOptions.

services.Configure<IdentityOptions>(options =>
                options.Password.RequiredLength = 8;
                options.Password.RequireUppercase = true;
                options.Password.RequireLowercase = true;
                options.Password.RequireDigit = false;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequiredUniqueChars = 5;


Set the requiired length of the password. Specify an integer value, indicating how long the password should be at a minimum.


Set the flag indicating if the password must include an upper case character (a letter between 'A' and 'Z'). Specify a boolean value.


Set the flag indicating if the password must include an lower case character (a letter between 'a' and 'z'). Specify a boolean value.


Set the flag indicating if the password must include an digit (a number between 0 and 9). Specify a boolean value.


Set the flag indicating if the password must include a non-alphanumeric character such as '@',  '&' or '?' . Specify a boolean value.


Set the minimum number of unique unique characters in the password. So for example, setting the value to 2 would prevent someone from saving a password like 'aaaabbbb'. However they could save a password like 'aabbcccc' because the second string has three unique characters. Specify an integer value.

Why change the complexity?

The default requirements in Identity 3.1 are as follows:

  • Minimum length of 6 characters
  • At least one lowercase ('a'-'z')
  • At least one uppercase ('A'-'Z')
  • At least one digit ('0'-'9')
  • At least one non alphanumeric character like @ or ?

If you're not ready to deploy 2FA on an internet facing application then it's a good idea to enforce higher password complexity. There's also many business cases that require a different set of password requirements to those set by default in Identity.

Companies that handle cardholder data might require a password length of much more than 6 characters for their PCI DSS certification.

The key understanding here is that you should define a minimum standard for password requirements, depending on your business case.

Article Categories: # .net # identity # c#
Date Published: Jan 22, 2020


A tech blog by Andy P. I talk about coding, enterprise software development, tech, games design & other things that interest me.

Signup To The Newsletter

I try to post a new interesting article every saturday.

IT Asset Management

Our friends at AssetPad are building a complete online solution for managing the IT assets within your organisation. With barcodes and documentation tools.