Set Password Requirements in .NET 5 & Core 3.1 Identity
Setting custom password requirement rules in ASP.NET 5 & Core Identitty is an extremely easy affair. Everything is configured in one place and it usually requires less than 10 lines of simple code.
Setting a custom validator
If you've created a new ASP.NET Core solution with Identity enabled then Inside your startup.cs file you'll have a method called ConfigureServices. We use ConfigureServices to specify how services should be configured at runtime.
Inside ConfigureServices you'll add a configuration for IdentityOptions.
services.Configure<IdentityOptions>(options =>
{
options.Password.RequiredLength = 8;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Password.RequireDigit = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequiredUniqueChars = 5;
});
options.Password.RequiredLength;
Set the requiired length of the password. Specify an integer value, indicating how long the password should be at a minimum.
options.Password.RequireUppercase;
Set the flag indicating if the password must include an upper case character (a letter between 'A' and 'Z'). Specify a boolean value.
options.Password.RequireLowercase;
Set the flag indicating if the password must include an lower case character (a letter between 'a' and 'z'). Specify a boolean value.
options.Password.RequireDigit;
Set the flag indicating if the password must include an digit (a number between 0 and 9). Specify a boolean value.
options.Password.RequireNonAlphanumeric;
Set the flag indicating if the password must include a non-alphanumeric character such as '@', '&' or '?' . Specify a boolean value.
options.Password.RequiredUniqueChars;
Set the minimum number of unique unique characters in the password. So for example, setting the value to 2 would prevent someone from saving a password like 'aaaabbbb'. However they could save a password like 'aabbcccc' because the second string has three unique characters. Specify an integer value.
Why change the complexity?
The default requirements in Identity 3.1 are as follows:
- Minimum length of 6 characters
- At least one lowercase ('a'-'z')
- At least one uppercase ('A'-'Z')
- At least one digit ('0'-'9')
- At least one non alphanumeric character like @ or ?
If you're not ready to deploy 2FA on an internet facing application then it's a good idea to enforce higher password complexity. There's also many business cases that require a different set of password requirements to those set by default in Identity.
Companies that handle cardholder data might require a password length of much more than 6 characters for their PCI DSS certification.
The key understanding here is that you should define a minimum standard for password requirements, depending on your business case.