Add a Password Option to set the number of unique chars #1097
Comments
|
You can always customize the built-in password validator and replace it completely: /// <summary>
/// Extending the Built-in Password Validation
/// </summary>
public class CustomPasswordValidator : PasswordValidator<User>
{
public CustomPasswordValidator(
IdentityErrorDescriber errors // This is necessary for the globalization to work
) : base(errors)
{}
public override async Task<IdentityResult> ValidateAsync(UserManager<User> manager, User user, string password)
{
// First use the built-in validator
var result = await base.ValidateAsync(manager, user, password).ConfigureAwait(false);
var errors = result.Succeeded ? new List<IdentityError>() : result.Errors.ToList();
// Extending the built-in validator
if (!areAllCharsEuqal(password))
{
errors.Add(new IdentityError
{
Code = "PasswordIsNotSafe",
Description = "All password chars are the same."
});
}
return !errors.Any() ? IdentityResult.Success : IdentityResult.Failed(errors.ToArray());
}
private static bool areAllCharsEuqal(string data)
{
if (string.IsNullOrWhiteSpace(data)) return false;
data = data.ToLowerInvariant();
var firstElement = data.ElementAt(0);
var euqalCharsLen = data.ToCharArray().Count(x => x == firstElement);
if (euqalCharsLen == data.Length) return true;
return false;
}
}Then replace the built-in one: services.AddScoped<IPasswordValidator<User>, CustomPasswordValidator>();
services.AddScoped<PasswordValidator<User>, CustomPasswordValidator>(); |
|
@VahidN you are totally right, right after creating this issue I was thinking there had to be a way to provide custom logic, thanks for the sample. Is it replacing completely the current implementation based on So I assume having a special password option is just about how often would people need it, and probably this one was already discussed internally and didn't make it to the list. We'll see what they say about it. |
It still calls the |
|
Yeah its up to the custom validator to decide if it wants to chain or not, I don't remember if @blowdart came up with the original list of password options or not, but I'll leave it to him to make the call on whether its a candidate for support by default. There is also a related work item in the backlog to consider tweaking the validators to be a list that are all run, instead of a single one that is replaced, which would make chaining less necessary. There haven't been any customer requests for this change so it hasn't been high on my priority list to this point... |
|
No milestone? |
|
Think of the poor release notes!! |
|
Good catch btw @danroth27 :) |
I think it's a pretty common idea that forcing different types of chars (numeric, special, upper, ...) is not more secure than the chars just being non-repetitive and use a long password. We can already set the minimum length for a password, but I would like to also set how many different chars it should be made of.
PasswordOptions.RequiredUniqueCharsObviously it would have to be less than
PasswordOptions.RequiredLengthor equal.c.f. https://twitter.com/codinghorror/status/829484158208471041
The text was updated successfully, but these errors were encountered: