ASP.NET Password in Web Config

Security requirements for account login credentials can vary among different .NET projects. In some cases we have specific requirements for minimum required password length, password strength and the format the password will be stored in the database. These requirements can be easily changed through web.config’s membership > provider area.

The Default Password Setting

By default the requirement for password may look like 7 characters in length, 1 Non-alphanumeric character and be stored in hashed format.

How to change password requirements

Open web config file from your .NET project and locate the <system.web> line. Right after <system.web>, put this code:

<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"passwordFormat="Encrypted"
/>
</providers>
</membership>


Do remember to make sure that the above code is not already present in your web config.

Customizing the code

Depending on the security requirements of your application customize the above code as follows:


connectionStringName="string" this is the name corresponding to the entry in <connectionStrings> section where the connection string for the provider is specified

maxInvalidPasswordAttempts="int" This is the number of failed password attempts, or failed password answer attempts that are allowed before locking out the user's account

passwordAttemptWindow="int" This is the time window (in minutes), during which failed password attempts and failed password answer attempts are tracked

enablePasswordRetrieval="[true|false]" This indicates whether the login system is configured to allow users to retrieve their account passwords (through forgot pasword module). If enablePasswordRetrieval is set to false, users won't be able to receive their password from the database. 

If you set enablePasswordRetrieval to true, you must set passwordFormat  to "Encrypted or Clear". If the PasswordFormat property is set to Hashed, a user will not be able to retrieve his or her existing password from the database. The Hashed password format provides one-way encoding of password values. Passwords are hashed with a randomly generated salt value and compared to values stored in the database for authentication. Hashed values cannot be unencoded to retrieve the original password value. This is because the Hashed password format provides one-way encoding of password values and hence password retrieval will not be possible.

enablePasswordReset="[true|false]" Should the provider support password resets

requiresQuestionAndAnswer="[true|false]" Should the provider require Q & A

minRequiredPasswordLength="int" The minimum password length

minRequiredNonalphanumericCharacters="int" The minimum number of non-alphanumeric characters

applicationName="string" Optional string to identity the application: defaults to Application Metabase path

requiresUniqueEmail="[true|false]" Should the provider require a unique email to be specified

passwordFormat="[Clear|Hashed|Encrypted]" Storage format for the password: Hashed (SHA1), Clear or Encrypted (Triple-DES). Hashing is a one way encryption and hashed passwords cannot be recovered. Encrypted passwords are stored in encrypted format but are recoverable.