asp.NET Password Requirements

For an asp.net website, using AspNetSqlMembershipProvider for authentication, there are several settings you can specify to handle password requirements.  Most corporate sites that want to make sure users are entering strong password have several things they look for in a password.

1. Password Length
2. Character Types
3. Password Complexity
4. Password History
5. Encryption
6. Attempts

Most of these settings are kept in the web.config.  Here is a standard setting for the membership provider:

<membership>

  <providers>

    <add 

      name="AspNetSqlMembershipProvider" 

      type="System.Web.Security.SqlMembershipProvider, ..." 

      connectionStringName="LocalSqlServer" 

      enablePasswordRetrieval="false" 

      enablePasswordReset="true" 

      requiresQuestionAndAnswer="true" 

      applicationName="/" 

      requiresUniqueEmail="false" 

      passwordFormat="Hashed" 

      maxInvalidPasswordAttempts="5" 

      minRequiredPasswordLength="7" 

      minRequiredNonalphanumericCharacters="1" 

      passwordAttemptWindow="10" 

      passwordStrengthRegularExpression="" 

    />

  </providers>

</membership>

To control the password complexity, you'll need to set the "passwordStrengthRegularExpression" under the "AspNetSqlMembershipProvider".

I'm not great with Regular Expressions, so I turned to StackOverflow for the following password requirements:

• At least 8 Characters (up to 100)
• Must have 3 of the 4 character types (Upper, Lower, Number, Symbol)

(?=^[^\s]{8,100}$)((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*

An explanation of individual components:

• (?=^[^\s]{8,100}$) - contain between 8 and 100 non-whitespace characters

• (?=.*?\d) - contains 1 numeric

• (?=.*?[A-Z]) - contains 1 uppercase character

• (?=.*?[a-z]) - contains 1 lowercase character

• (?=.*?[^\w\d\s]) - contains 1 symbol

Notice after the length segment the double parens and later in the expression you'll see several
's. This allows for the either/or comparison of the 4 possible combinations that are allowed.

Also, check out RAD Regex Designer, for a FREE tool to test your Regular Expression!

ASP.Net file too large or exceeded buffer (ASP0251)

I've run into this problem a few times.  The problem is ASP's default is to limit the file buffer to 4MB.  If you get a file (or response) larger than that, it will choke.

In IIS6/7, you can run this command:

• Click Start, click Run, type cmd, and then click OK.
• cd /d %systemdrive%\inetpub\adminscripts
• cscript.exe adsutil.vbs SET w3svc/aspbufferinglimit 20000000

I just found the setting in IIS7.5 in IIS Manager:

Sites -> Default Web Site -> Choose your site
Double Click on the "ASP" feature
Expand "Limits Properties"
Change the "Response Buffering Limit"

It defaults to : 4194304 (4MB)
I changed it to 10000000 (10MB) and clicked Apply, but still got the error
Then, I changed it to 20000000 (20MB), and the error went away