ASP.NET Core Password Options and Custom Validators

ASP.NET Core provides a lot of identity feature out of the box when individual user accounts is selected during project creation. Using the default settings a user’s password is required to be at least 6 characters and contain a number, a lower case letter, an uppercase letter and a special character. This post is going to cover changing the the above options as well as creating custom validators.

Password Options

The following is the default registration of identity in the ConfigureServices  function of the Startup  class with the default settings mentioned above.

AddIdentity  can accept options part of which allows control over the basic characteristics of what is required for user passwords. Here is the same AddIdentity but with all the options for passwords listed.

All the options do what you would expect. One thing to note is if you change the required length by setting  options.Password.RequiredLength then the new setting will only be validated on post back to the server, which is the case of most password validation anyway, but for pre-post validation on length then the string length data annotation needs to be updated on  RegisterViewModel.PasswordResetPasswordViewModel.PasswordChangePasswordViewModel.NewPassword and  SetPasswordViewModel.NewPassword.

Custom Password Validators

The above is great for changing simple aspects of password validation, but we all know password rules for organizations are not always simple enough to be covered by the above. Thankfully Microsoft has provided the  AddPasswordValidator  extension method to the  IdentityBuilder class which is what is returned by  AddIdentity.

AddPasswordValidator takes a type that implements  IPasswordValidator. The custom validator only has to implement the   ValidateAsync defined by  IPasswordValidator. The following validator checks to make sure that all the characters of the password are not the same and returns an IdentityResult based on the conditions passing. Forgive the contrived example, but I wanted to keep the class as simple as possible.

If validation failed is the result then is added to the list of validation messages the user sees just like with the built in password validations.

Here is registration of identity with the custom password validation which is on the last line.

Potential Use

Imagine you have a requirement to make sure a user doesn’t reuse the same password for a period of time. This would be a great place for a custom password validator. You could use dependency injection to get reference to a history of password hashes and use that to verify the user is not repeating the same password. Of course would have to first write the password hash history.

11 thoughts on “ASP.NET Core Password Options and Custom Validators”

  1. Great post!
    Just one question, is this custom validate only works on the server side or works for client and sever side ?

      1. Thanks for the reply.

        Is there any quick way to integrate it with Unobtrusive JavaScript? same way as data annotation works!

        1. I don’t know of a way. The only client side validation for the standard options is length and that comes from the data annotation on the model not the from the actual password validation.

          If you come across any way to get it working please let me know.

  2. Seems like:
    options.Password.RequireNonLetterOrDigit = true;

    is changed to:
    options.Password.RequireNonAlphanumeric = false;

  3. Very helpful article, thanks. Can we use multiple validators? Say I have a class that blocks classic dumb passwords, and a class that enforces no password re-use, do I just chain them as AddPasswordValidator() calls?

    1. Thank you for the feedback Steve! Chaining AddPasswordValidators should work fine and would be what I would try first. If that failed then making a class to aggregate all of your password validation classes would be a workable fallback option.

      1. Chaining seems to work, and the error messages are additive, which is good. I would suggest anyone trying this does their own tests first though, do not take my word for it, I have not been very thorough (yet, more later hopefully).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.