Different password policies for different roles

[Henrik]

Hi all,

I'm quite new to the securit system of ASP .Net and I have a question
regarding the requriements on the password a user supplies.

On the web site I'm currently working on there ara two groups of users I
need to authenticate. One is the registered users and the other is the
registered contributors. I would like to have different password requirements
depending on the type of user.

The demand for high security is much higher on the contributor so I would
like to force them to use 8 character password with at least 2 non
alphanumerical characters

The registered users only register to get a newsletter and thus is there
less need for high security for those users. I would like them to be able to
specify a 6 character password.

How can I obtain this functionality? Is there any support for this?

I know that I can set the minimum password length and the minimum number of
non alpha numeric characters in the properties of the Membership provider.

Can I use different providers depending on the role the user tries to
register for?

Any suggestions would be apprechiated

Thank you

/ Henrik

 

[Steven Cheng[MSFT]]

Hello Henrik,

From your description, you're using the ASP.NET 2.0 membership service to
secure your web application, and there are two groups of users in your
application, you want each group users have their own password
strength-requirement policy, correct?

As you have found, by default, each ASP.NET membership provider has a set
of settings(include "minRequiredPasswordLength" and
"minRequiredNonalphanumericCharacters"). However, we can not apply
multiple such settings for a single provider.

So far based on my research, you can consider the following two options:

1. Still use single membership provider in your application, and set the
password related policy to the loosest level. And in your application page
UI, you can programmatically do password policy assurance checking. For
example, in user creation, page, you can use different policy assert code
logic to validate the password user entered according to their group.


2. Using multiple membership provders(or other providers such as profile,
role...) is supported in ASP.NET 2.0. You can simply add more entries in
the <membership>/<providers> elements, e.g.

==============
...........
<membership >
<providers>
<add
name="provider1"
................./>
<add
name="provider2"
..................../>
<add
name="provider3"
................./>
</providers>
</membership>
........
=================

And you also need to programmatically retrieve a specific provider from the
registered provider collection and use it to do the membership operations.
e.g.

======
MembershipProvider provider1 = Membership.Providers["provider1"];
=======

Here is a MSDN article demonstrate this, it is using AD membership
provider, but the logic is applying to all multiple providers scenario:

#How To: Use Forms Authentication with Active Directory in Multiple Domains
in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998345.aspx

Hope this helps. If you have any further questions, please feel free to
post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.