I am working on a legacy ASP.NET website project that utilizes a custom MembershipProvider. I want to take advantage of the existing functionality that this provides to implement password validation. I want to ensure that all future passwords are of a certain length and contain a certain number of uppercase, lowercase, and non-alphanumeric characters.
What I have done so far is register a MembershipValidatePasswordEventHandler in the page_load function of the default page of the website based on the example from the docs, here. I currently have the event handler set up to reject everything just as a proof of concept, and it works. Despite that, it seems like an odd place to register the event handler considering there are multiple pages in the site, and the default page doesn't have anything to do with password creation/management.
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Membership.ValidatingPassword += new MembershipValidatePasswordEventHandler(ValidatePasswordEventHandler);
}
...
public void ValidatePasswordEventHandler(object sender, ValidatePasswordEventArgs e)
{
e.Cancel = true;
}
}
I have considered registering the handler in the user creation or updating pages, but that still seems inappropriate. I would like to know if there is a more appropriate place to do this before I begin implementing the actual password checks, or is this the standard place to do this?
For additional context on the broader problem, I have also tried modifying the membership provider in the web.config file to get part of this functionality based on this previous answer, but when I provide an invalid password (smaller than 7 characters) it isn't rejected.
<membership defaultProvider="MyMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<add name="MyMembershipProvider" type="MyNamespace.Membership.MyMembershipProvider" applicationName="MyApp" connectionStringName="MyConnectionString" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="true" writeExceptionsToEventLog="false" passwordFormat="Clear" maxInvalidPasswordAttempts="15" passwordAttemptWindow="10" minRequiredPasswordLength="7"/>
</providers>
</membership>
Update: This question may also provide some additional justification for why I am interested in the is event handler. The top answer links to this question. The top answer for this question mentions doing what I have done here, but says it might be done "in a higher scope" this is more getting at my question. What would a higher/highest scope be in the context of a website project?
Solution: I ended up modifying my ChangePassword web control's NewPasswordRegularExpression field with the following regex: ^(?=.[a-z])(?=.[A-Z])(?=.\d)(?=.[^\da-zA-Z]).{8,}$, instead of implementing a custom event handler.