Tuesday, November 15, 2005

ASP.NET 2.0 membership providers

If you set up Visual Studio 2005 Beta 2 and try out the login controls that use the membership providers, you may come across a situation where the create user page comes back asking you to choose a different password. I consulted google and came up with this useful result.
The following was typed by my bhai's mitthu:


Zubair.NET! said...

That is the default setting, albeit a very difficult one for "newbies" to guess.This single issue has many post dedicated to it on ASP.NET Forums, thanks to the ASP.NET Team for making it more "secure" huh.

Muhammad Saqib Ilyas said...

Yea, I forgot to mention that I did this only for a local machine setup for ease of use. I am all for complex paswords, but the problem is, complex passwords are not for the laymen, so you are in a situation when deploying applications.

Zubair.NET! said...

In an effort to make it more secure, I believe if we enforce more stricter rules for choosing a password in our own web applications (as by default there are in ASP.NET 2.0), we might end up loosing a bunch of users that think, "what the hell, why is this web application asking for a 'secure' password"?

I am of the opinion that, if we are to make our web apps more secure, we should take care of our application security and tackle issues such as SQL Injection, Cross Site Scripting etc rather than enforcing a stricter password alone.

At the end of the day, if the so-called "strong/secure" password is leaked, where is the security?

Do I sound like I am not in favor of having a "secure" password? No, I consider restricting passwords to a minimum characters (say 8) and ok 1 numeric character atleast (if you insist). Thats IT, personally I hate having a password in the form of "Pass@word1".

Are you in favor of enforcing a stricter password and leaving the other holes uncovered?

Muhammad Saqib Ilyas said...

Very well put Zubair. I couldnt agree with you more. It is true that strong passwords are only one piece of the puzzle. Overall web application security has many other components and they must all be addressed, and those that you pointed out, such as incomplete mediation, sql injection are much more serious quite often exploited vulnerabilities that forms authentication passwords. Some basic rules should be enforced. How about, we just kiss and make up (just kidding) by saying that the administrative role passwords should invariably adhere more complex rules than end user passwords?

Zubair.NET! said...

Agreed, admins SHOULD have a stricter password than the casual users of a web application, but again I insist having a strong password alone does not "guarantee" tighter security.

Muhammad Saqib Ilyas said...