Strong Password encryption program?

[KatMagic]

I have a web-based program that will be going to an external web server and
want to create a logon process. I am using forms authentication, passing
encryption with salt, but want to force the user to create passwords with
rules: combinations of numbers & letters, at least one character caps,
things like that, like we would on a a network, and to change the password
every x amount of months. Can anyone point me in the right direction as to
any articles that may help me do this, or the correct process?

Thanks for your help.

 

[Aru]

This is handled at multiple places:

1) Forms authentication allows a user to login into the system for a
session or for a certain amount of time. The way you are handling is
good enough.
2) To have a set of rules for a password, you may use regular
expressions on ASP.NET password textboxes. Search google.
Alternatively, you can write your own logic to validate in code-behind
file or have a trigger in the database of password field, that verifies
the requirement.
3) Password expiry should be maintained by your database logic.
Whenever, a password is updated, update the last updated date and
whenever user login, check if the last updated date is beyond the valid
date time frame. If so, force user to create a new password.

If there are any other ways, please contribute. I'll love to know more
varieties.

Thanks,
Aru

 

[Guest]

Hello KatMagic,

If you haven't already, take a look at the SqlMembershipProvider api in
ASP.NET 2.0. It has some of what you want built in:

Configurable password strength
Automatic lockout
Minimum number of non-alphanumeric
Security question/answer
...

The membership data are stored in SQL so you have access to the tables,
stored procedures, and functions if you want to customize.