Complex Password Validation Requirements

May 30, 2014 at 7:38 PM
Edited May 30, 2014 at 7:46 PM
I would like to require that a user does not change his password to a previously used password. In other words, a user can never reuse a password.

I believe the ideal place to put this code would be in UserManager.UpdatePasswordInternal, but that method is not virtual and is internal (rant: when is MS going to change its policy on making everything internal until necessary by some idealistic case).

I can't place the code in a PasswordValidator because that does not contain the user's context.

I could place it in the DbContext.ValidateEntity, but that seems messy and is pretty much as late into the workflow as is possible... too late for my tastes.

I also could place it in each of the UserManager methods that deal with passwords (e.g. ChangePasswordAsync)... there are a half dozen or so. However, these are only passed a UserId, not a user object, so an extra database hit is required.

The best spot I've found so far is in a custom UserValidator, but this also requires more code than I would think needed because the UserValidator doesn't know that it is validating a password change.

So, my question is: where would you suggest this code be put into ASP.Net Identity? It seems like something is missing from the API to allow me to do this easily.
May 30, 2014 at 9:07 PM
Have you seen this link for restricting previously used passwords?

https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Identity-PasswordPolicy/Identity-PasswordPolicy/Readme.txt

I agree with you about not having the user's context when implementing password rules. I have a requirement that the user's DOB can't be contained in their password, and it seems like a pain to get that working (I keep pushing that off until the end).
Jun 4, 2014 at 3:52 PM
Nick, thank you for the link. It confirms that my dilemma is a real one. It looks like they opted for #4. :) Unfortunately, this requires an extra database hit.