Set Password Requirements in .NET Core 3.1 Identity

Updated on 23rd January 2020

Setting custom password requirement rules in ASP.NET Core Identitty is an extremely easy affair. Everything is configured in one place and it usually requires less than 10 lines of simple code.

Setting a custom validator

If you've created a new ASP.NET Core solution with Identity enabled then Inside your startup.cs file you'll have a method called ConfigureServices. We use ConfigureServices to specify how services should be configured at runtime.

Inside ConfigureServices you'll add a configuration for IdentityOptions.

services.Configure<IdentityOptions>(options =>
            {
                options.Password.RequiredLength = 8;
                options.Password.RequireUppercase = true;
                options.Password.RequireLowercase = true;
                options.Password.RequireDigit = false;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequiredUniqueChars = 5;
            });

options.Password.RequiredLength;

Set the requiired length of the password. Specify an integer value, indicating how long the password should be at a minimum.

options.Password.RequireUppercase;

Set the flag indicating if the password must include an upper case character (a letter between 'A' and 'Z'). Specify a boolean value.

options.Password.RequireLowercase;

Set the flag indicating if the password must include an lower case character (a letter between 'a' and 'z'). Specify a boolean value.

options.Password.RequireDigit;

Set the flag indicating if the password must include an digit (a number between 0 and 9). Specify a boolean value.

options.Password.RequireNonAlphanumeric;

Set the flag indicating if the password must include a non-alphanumeric character such as '@',  '&' or '?' . Specify a boolean value.

options.Password.RequiredUniqueChars;

Set the minimum number of unique unique characters in the password. So for example, setting the value to 2 would prevent someone from saving a password like 'aaaabbbb'. However they could save a password like 'aabbcccc' because the second string has three unique characters. Specify an integer value.

Why change the complexity?

The default requirements in Identity 3.1 are as follows:

  • Minimum length of 6 characters
  • At least one lowercase ('a'-'z')
  • At least one uppercase ('A'-'Z')
  • At least one digit ('0'-'9')
  • At least one non alphanumeric character like @ or ?

If you're not ready to deploy 2FA on an internet facing application then it's a good idea to enforce higher password complexity. There's also many business cases that require a different set of password requirements to those set by default in Identity.

Companies that handle cardholder data might require a password length of much more than 6 characters for their PCI DSS certification.

The key understanding here is that you should define a minimum standard for password requirements, depending on your business case.


Article Categories: # .net # identity # c#

About

A tech blog by Andy P. I talk about coding, enterprise software development, tech, games design & other things that interest me.

Signup To The Newsletter

I try to post a new interesting article every saturday.