The most popular password, making up nearly 17 percent of the 10 million passwords the company analyzed, was 123456
Implementations of ASP.NET Core Identity IPasswordValidators that verify the provided password is not one of the most common passwords.
Password rules are a pain, and users hate them! Worse than that - even though they make the password mathematically stronger, the real-world benefit is questionable.
Changing the ones to 'i's does not a strong password make!
This package lets you relax those rules, and instead simply require that passwords are not one of the top 100, top 1000, or even top 100,000 most common passwords.
Install into your project using
dotnet add package CommonPasswordValidator
You can add the password validator to you ASP.NET Core Identity configuration using one of the IdentityBuilder extension methods:
builder.AddTop100PasswordValidator<ApplicationUser>(); // top 100
builder.AddTop500PasswordValidator<ApplicationUser>(); // top 500
builder.AddTop1000PasswordValidator<ApplicationUser>(); // top 1,000
builder.AddTop10000PasswordValidator<ApplicationUser>(); // top 10,000
builder.AddTop100000PasswordValidator<ApplicationUser>(); // top 100,000This package is based on an article by Jeff Attwood about the rules they have decided on for Discourse.
Instead of requiring a multitude of character types, they demand a minimum of 10 characters and at least 6 unique characters.
More importantly, they require that the password is not one of the most common passwords.
This package provides a number of validators for the ASP.NET Core Identity system, that you can use in your ASP.NET Core 2.x or ASP.NET Core 3.0 apps to check that the password entered is not on a list of the most common passwords.
Install using the CommonPasswordsValidator NuGet package:
PM> Install-Package CommonPasswordsValidator
or
dotnet add package CommonPasswordValidator
When you install the package, it should be added to your csproj. Alternatively, you can add it directly by adding:
<PackageReference Include="NetEscapades.CommonPasswordValidator" Version="1.5.0" />Extension methods exist for validating whether the password is in the top
- 100 most common of the the 10 million password list
- 500 most common of the the 10 million password list
- 1,000 most common of the the 10 million password list
- 10,000 most common of the the 10 million password list
- 100,000 most common of the the 10 million password list
For example, to add the top 1000 password validator to a typical defulat ASP.NET Core project:
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddTop1000PasswordValidator<ApplicationUser>(); // Add the custom validator
services.AddTransient<IEmailSender, AuthMessageSender>();
services.AddTransient<ISmsSender, AuthMessageSender>();
services.AddMvc();
}In addition, I recommend you update the length requirements, and the required number of unique characters too, e.g:
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Password.RequiredLength = 10;
options.Password.RequiredUniqueChars = 6;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddTop100000PasswordValidator<ApplicationUser>();
services.AddTransient<IEmailSender, AuthMessageSender>();
services.AddTransient<ISmsSender, AuthMessageSender>();
services.AddMvc();
}The package will automatically exclude any passwords that are less than the value specified in IdentityBuilder.Password.RequiredLength to reduce the number of passwords it needs to check against.
Tip: The most common passwords are short - if you increase the minimum
RequiredLengthto 10 characters, only 2,312 of the top 100,000 most common passwords will be valid!