Search News Articles

Enforcing Strong Passwords Using .Net Membership Feature

How do I enforce strong passwords using membership feature in ASP.NET 2.0?

Note: this is a reprint of an article originally posted on Developer Guidance Share on June 13, 2012. The original article can be found here. This tip also applies for .NET versions 3.5 and 4.0

By J.D. Meier, Prashant Bansode, Alex Mackman


You can enforce strong passwords using membership by configuring the attributes minRequiredPasswordLength, minRequiredNonAlphanumericCharacters, and passwordStrengthRegularExpression on your membership provider configuration. Strong passwords help defend against brute force attacks and dictionary attacks. The default password strength is set to a minimum password length of 7 characters with at least 1 non-alphanumeric character for both SqlMembershipProvider and ActiveDirectoryMembershipProvider. If you are using the ActiveDirectoryMembershipProvider with Active Directory, your domain password policy is used by default, although you can further strengthen password policy by overriding this with your membership configuration by using the attributes listed earlier. Similarly, if you are using ActiveDirectoryMembershipProvider with ADAM, your local password policy is used, although you can override this with your membership configuration.

If you need to configure your membership provider to enforce specific strong password rules, you can use regular expressions, or you can set specific max and min requirements for numeric, alhpabetic and alphanumeric characters.

  • Using regular expression*
     <membership ...>          <providers>             <add passwordStrengthRegularExpression= "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" .../>          </providers>       </membership>
  • Using minimum length and non-alphanumeric character*
     <membership ...>        <providers>          <add minRequiredPasswordLength=10 minRequiredNonalphanumericCharacters=2 .../>        </providers>      </membership>

For more information on enforcing strong password, see "How To: Protect Forms Authentication in ASP.NET 2.0" at

In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at or 1-888-711-MILL (6455).