RFL200141: Web.config Password Options

The following section of the Web.config file contains the options that can be used in order to setup the required password complexity: 


<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">


<remove name="AspNetSqlProvider" />

<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="RayflowSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordFormat="Hashed" passwordStrengthRegularExpression="(?=^.{6,15}$)(?=.*\d)(?=.*\W+)(?![.\n])(?=.*[a-zA-Z]).*$" minRequiredNonalphanumericCharacters="1" minRequiredPasswordLength="6" applicationName="/" />




Current password strength requirements:

Must be a minimum of 6 and a maximum of 15 characters.

Must have at least one special character.

Can have one or more decimal digits.

Can have one or more lowercase or uppercase characters.





The number of minutes after the last-activity date/time stamp for a user during which the user is considered online.



If the password format is set to Hashed, then users will not be able to retrieve their existing password from the database.



Password reset is the ability for ASP.NET membership to replace the current password for a user name with a new, randomly generated password when a user has forgotten their password or the current password is no longer valid.

This is especially useful when password format is set to Hashed, as users cannot retrieve hashed password values.



Requiring a password question and answer provides an additional layer of security when retrieving or resetting a user's password.

Users can supply a question and answer when their user name is created that they can later use to retrieve or reset a forgotten password.



          Clear Passwords are not encrypted.

Encrypted Passwords are encrypted using the encryption settings determined by the machineKey Element (ASP.NET Settings Schema) element configuration.

Hashed Passwords are encrypted one-way using the SHA1 hashing algorithm. You can specify a hashing algorithm different than the SHA1 algorithm using the hashAlgorithmType attribute.




          A regular expression used to evaluate a password.


          (?= subexpression )

Zero-width positive lookahead. Look ahead of the current position to determine whether subexpression matches the input string.

          (?! subexpression )

Zero-width negative lookahead. Look ahead of the current position to determine whether subexpression does not match the input string.

          (?=^.{6,15}$)         Begin the match at the beginning of the input string.

String must be a minimum of 6 and a maximum of 15 characters.

                                      End the match at the end of the input string.

          (?=.*\d)                  Match zero or more decimal digits.

          (?=.*\W+)              Match one or more non-word characters.

          (?![.\n])                  Does not match a newline character.

          (?=.*[a-zA-Z])         Match zero or more a-z or A-Z characters.

          .*$                         End the match at the end of the input string.





The minimum number of special characters that must be present in a valid password.



          The minimum length required for a password.



          The ApplicationName is used to identify users specific to an application.

That is, the same user name can exist in the database for multiple ASP.NET applications that specify a different ApplicationName.

When no applicationName attribute is configured, ASP.NET uses the application vroot path within the web-server to automatically calculate the applicationName to use when adding data to an ASP.NET Application Service database.



Microsoft reference =



Powered by Zendesk