Crazy Password Requirements for users

Jul 11, 2011 at 6:07 PM

Hello there

 

I have just installed this web part in order to start using a form application login, I was able to create users. However there seems to be some hard coded byzantine password requirement. I even tried a 10 character password and it did not accept it. It seems to need something on the complexity of an email address. I thought that the user creation just totally wasnt working, untill i tried a password like 'user@domain.com' which actually did work!

 

So do passwords need to have a @ sign in them or what? I am of the opinion that password requirements are ALWAYS a bad idea and lead to users simply writing down their passwords. Is this configurable? if so where? Also it would be nice if the form actually told you this is why it was failing as opposed to "Object reference not set to an instance of an object." which makes no sense to anyone!

 

I am going to take a look around the discussion area, but so far the closest answer i found says something like " i have changed my web.config  to have users passwords with only 8 characters and no nonalphanumeric characters." So i gather that i can change a web.confg file somewhere to do this. I did a search  for "password" in the web.config under the virtual directory for my site, but it didnt come up with anything besides the parameters to connect to the database.

 

How do I edit the "PasswordPolicy" ? anyone know

 

thanks!

 


Coordinator
Jul 11, 2011 at 6:38 PM

The password complexity is set by the membership provider, which you configure in the web.config (just edit the entries you made when configuring SharePoint for FBA).  The FBA Pack just uses whatever is configured.

There's more info on configuring the membership provider here:

http://msdn.microsoft.com/en-us/library/ff648345.aspx

Here's the options you'll be interested in - the minimum password length (defaults to 7) and minimum number of non-alphanumeric characters (defaults to 1 - which is why you needed to put the @ character to get a valid password):

minRequiredPassword
Length
7 Specifies the minimum number of characters required in a password. The value can be from 1 to 128.
minRequiredNonAlpha
numericCharacters
1 Specifies the minimum number of non-alphanumeric characters required in a password. This configuration attribute cannot be set to a value greater than the value of theminRequiredPasswordLength. This means the configuration setting must be in the range of 
0–minRequiredPasswordLength, inclusive of minRequiredPasswordLength.
Jul 11, 2011 at 8:50 PM

Ok, that seems pretty straight forward.

 

I have added the two strings to APPLICATION_ROOT\web.config however minRequiredNonAlphanumericCharacters="0" does not work and makes the site display errors - you cannot browse to the site.  minRequiredPasswordLength="4" however does work, as long as one of those 4 is an @ sign, or other nonalpha char. Relevant lines of web.config are pasted in below. As pasted, the site does not work - does not load. However, if you simply remove the alphacharacters variable, then it all works fine. So maybe I have a synatx error? i also tried ="" and =" ", and even ="1" but it didnt matter.  Site does not load with 403 errors.

 

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" minRequiredPasswordLength="4" minRequiredNonAlphanumericCharacters="0" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Maybe I am not editing the right file? I know I had to edit 3x web.config files web application, central administrator and "STS". Otherwise I would say that that connection string variable is not useable.

Anyone have any working code I can compare too? maybe its the order of variables or something like that. I am not a programmer!

 

thanks for the help anyways ccoulson!

 

Jul 11, 2011 at 9:00 PM
Edited Jul 11, 2011 at 9:01 PM

gosh darn it!!!

 

minRequiredNonalphanumericCharacters="0"

works fine. Seems the command is case sensitive. (note the lower case a in the working command.) MS really needs to update its documentation regarding that!

Thats why i personally hate programming, its always some mundane little detail!

arggg works now. thanks.

 

this example provided correct syntax: http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.minrequirednonalphanumericcharacters.aspx