Web. config: Changing the password security requirements of the login Control

The login control added by Asp.net 2.0 finds that the system's default password security requirements are high, that is, "The minimum password length is 7, which must contain the following non-alphanumeric characters: 1 .", Generally, Wang Zhan does not need such a complex password (not even windows2003sever ). Some references provide the modification method in machine. config. However, you cannot modify it unless you have the permission to manage the host. We recommend that you modify the settings in the web. config file.

Add a sub-tag to the <system. Web> node of Web. config:

 

<Membership>
<Providers>
<Remove name = "aspnetsqlmembershipprovider"/>
<Add name = "aspnetsqlmembershipprovider"
Type = "system. Web. Security. sqlmembershipprovider, system. Web, version = 2.0.0.0, culture = neutral, publickeytoken = b03f5f7f11d50a3a"
Connectionstringname = "localsqlserver"
Enablepasswordretrieval = "false"
Enablepasswordreset = "true"
Requiresquestionandanswer = "true"
Applicationname = "/"
Requiresuniqueemail = "false"
Passwordformat = "hashed"
Maxinvalidpasswordattempts = "5"
Minrequiredpasswordlength = "6"
Minrequirednonalphanumericcharacters = "0"
Passwordattemptwindow = "10"
Passwordstrengthregularexpression = ""/>
</Providers>
</Membership>

 

The key attributes are described as follows:

connectionstringname: database connection. This should be done on the web. config Settings
enablepasswordretrieval to obtain a value that indicates whether the Program is configured to allow users to retrieve their passwords.
enablepasswordreset gets a value indicating whether the current membership provider is configured to allow users to reset their passwords.
requiresquestionandanswer obtains a value indicating whether the default membership provider requires the user to answer the password prompt during password reset and retrieval.
applicationname: obtain or set the application name.
requiresuniqueemail indicates whether a user must provide a unique email address value when creating a user.
passwordformat indicates the password format stored in the member qualification data storage area. The following is a detailed description
the number of attempts to prompt the answer to questions allowed by maxinvalidpasswordattempts before obtaining a locked member.
minimum length required by minrequiredpasswordlength to obtain the password.
minrequirednonalphanumericcharacters: obtain the minimum number of special characters that a valid Password must contain.
passwordattemptwindow obtains the maximum number of minutes that a question answer attempt is prompted for an invalid password or an invalid password that is allowed before the user is locked.

A detailed description of passwordformat
the attribute indicates the format of the Stored Password. Passwords can be stored in clear, encrypted, and hashed passwords. Clear passwords are stored in plain text, which improves the performance of storing and retrieving passwords, but are less secure. When the security of data sources is threatened, such passwords are easily read. The encrypted password is encrypted during storage and can be decrypted during password comparison or retrieval. This type of password requires additional processing during storage and retrieval, but it is relatively secure and is not easy to obtain when the security of the data source is threatened. When the hashed password is stored in the database, hash it using a unidirectional hash algorithm and a randomly generated salt value. When a password is verified, the password is hash calculated using the salt value in the database for verification. The hash password cannot be retrieved.