how to check password strength

and i also i need to add a validator for the password textbox where the user is required to fill atleast 6 characters

you can check password strenght through a regular expression validator

To accomplish what you need, add the following:

A RequiredFieldValidator on your password textbox

A RegularExpression validator with the validationexpression set to "\w{6,}" (remove quotes) (says "any alpha numeric at least 6")

For an explanation on why you need both validators please view a post I made at http://forums.asp.net/t/1120911.aspx

As far as password strength goes, you can accomplish the same in the RegularExpressionValidator.  If you let how you are defining strength I can help whip up a regex.

Regards,

Tim

Using the filter functions is my response to http://forums.asp.net/p/1104689/1696399.aspx#1696399, you can pass the password through a filter that passes just lower case and check that there are enough lower case. Likewise for upper case, numerics and specials. You may wish to check though the string and check for repeated characters. Some password strength routines check for repeated characters to stop a password like AAAbbb111

For a password strength checker, I would check minimum length server side. 

 The advantage of a server validation is that the numbers can be parameterised and read from a database. This allows password strength rules to be amended without having to load a new version of the site.

TATWORTH:

 The advantage of a server validation is that the numbers can be parameterised and read from a database. This allows password strength rules to be amended without having to load a new version of the site.

So to simply check the password strength, you are advocating posting back, making a trip to the database, then validating and returning back the failure message to the client on a failure?  Seems like a lot of overhead and wasted cpu cycles and a poor user experience.

 If you want dynamic strength or easily changeable, put the regex into the config and write it out to the control on PreRender.  But password strenght isn't something that needs the overhead of storing in a DB somewhere.  Obviously you *can* but just cause you can do something doesn't mean you should.  Someone's password strength expression will change so infrequently the work to get to and from a db isn't worth it.

Tim

TATWORTH:

Using the filter functions is my response to http://forums.asp.net/p/1104689/1696399.aspx#1696399, you can pass the password through a filter that passes just lower case and check that there are enough lower case. Likewise for upper case, numerics and specials. You may wish to check though the string and check for repeated characters. Some password strength routines check for repeated characters to stop a password like AAAbbb111

For a password strength checker, I would check minimum length server side. 

 

I looked at your post and while may be useful to you your FilterWorker class is extremely inefficient and is also doing what RegularExpressions already give you

Regarding the original issue at hand here, there is absolutely no need to postback to the server here.  .NET provides facilities by which you can validate nearly any string data on the client-side without posting back.

 Let's not postback unnecessarily,

Tim

 Client side validation can be bypassed! Server side validation cannot! 

 > If you want dynamic strength or easily changeable, put the regex into the config and write it out to the control on PreRender.  But password strenght isn't something that needs the overhead of storing in a DB somewhere.  Obviously you *can* but just cause you can do something doesn't mean you should.  Someone's password strength expression will change so infrequently the work to get to and from a db isn't worth it.

Password strength while infrequently changed, can be required to be changed at short notice. Putting a new version of a web site can take a surprising amount of time than can go into man-weeks, where the necessary SQL script can be done in an hour or even changed on-line.

TATWORTH:

 Client side validation can be bypassed! Server side validation cannot! 

That's why you validate on the server as well, but only as a backup, which ASP.NET Validators give you.  If javascript is turned off, the page will still validate on the server and Page.IsValid will reflect the validity of form values.

So by using .NET Validators you get both server and client-side, all with one control, one framework and no mess, seems like an easy sell to me.

TATWORTH:

 > If you want dynamic strength or easily changeable, put the regex into the config and write it out to the control on PreRender.  But password strenght isn't something that needs the overhead of storing in a DB somewhere.  Obviously you *can* but just cause you can do something doesn't mean you should.  Someone's password strength expression will change so infrequently the work to get to and from a db isn't worth it.

Password strength while infrequently changed, can be required to be changed at short notice. Putting a new version of a web site can take a surprising amount of time than can go into man-weeks, where the necessary SQL script can be done in an hour or even changed on-line.

Note to self: Never ever hire TATWORTH for a consulting job.

Seriously!?!?!??????? Man-weeks to write a password strength validator?  You've got to be kidding right? 

>Seriously!?!?!??????? Man-weeks to write a password strength validator?  You've got to be kidding right?

The change to a password word validator may only take minutes, to test it manually may takes a few minutes, however the whole site has to be re-tested. A change proposal is required ect. A time has to be negotiated when the change can be done. The whole of this takes a surprising amount of time. Man-weeks to put through a simple change is not surprising given the way that some companies work - NDA's prohibit me from giving examples. 

Your idea of putting it into the web.config may allow it to be changed on the fly. Given the cantankerous nature of regular expressions, your solution could lack robustness. If you can get it to work - fine!

However how do you propose getting around the clever hacker that disables the control? Server side validation is robust and if done via a method in a class project, is readily unit tested.

TAT,

 I hope you realize my crassness is somewhat playful, which undoubtedly is prone to being lost w/o visual cues and such that the internet does not provide.  So I'm not saying..."You're a bad developer".

However I disagree with your solution 100%.

1.

TATWORTH:

...however the whole site has to be re-tested.

Why?  The login is only a gateway into the application, once in, it's not like the password strength is used computationally elsewhere.  It's analogous to the fact the current situation with passports here in the US.  A few years ago I only needed a driver's license to get back into the country (think of that as the "password strength").  Today however you need a passport (a stronger "password strength").  Once that rule came out however the government didn't go back and say, "wait a second, we have to go find all the people who ever entered the country and check them again".  The people who are "in" are in.  The borders are only checked at that point, once you're in it doesn't matter by what method you were let in.  Same with web apps, the password strength is only a way to "guard the gate".

2..

TATWORTH:

A change proposal is required ect. A time has to be negotiated when the change can be done.

 This feels like Waterfall to me.  And I won't make claims about design methodology since it's highly dependent on the industry you work in.  If this is industry you work in then that's fine.  I understand the need for change proposal ect in certain industries.  But also realize there are some industries that don't require this overhead and just want the change done.

3.  

TATWORTH:

Your idea of putting it into the web.config may allow it to be changed on the fly. Given the cantankerous nature of regular expressions, your solution could lack robustness.

Regular expressions have never failed me.  In fact the entire framework and how your source files are compiled is based on the parsing that RegularExpressions provide.  So when you say "lack robustness" I thoroughly disagree.  In some ways if it's good enought for the .NET framework then it's good enough for me.  Most people don't use RegEx because they don't understand them, but that's not a good enough reason.

 4.

TATWORTH:

However how do you propose getting around the clever hacker that disables the control? Server side validation is robust and if done via a method in a class project, is readily unit tested.

 Please see above, I've already addressed this.  I'll write it again.  A "hacker" who "disables" this control (through disabling javascript) is still denied on the server.  I'll write it again, BY DEFAULT ASP.NET VALIDATORS PROVIDE BOTH SERVER-SIDE AND CLIENT-SIDE VALIDATION. 

From MSDN....in a pretty blue box marked "Security Note"  (http://msdn2.microsoft.com/en-us/library/yb52a4x0.aspx)

Validation is performed on the server even if it was already performed on the client. This enables you to determine validation status in server code and provides security against users bypassing client-side validation.

So when you say "servier side validation is robust", no one is disagreeing with you.  It's just that it's already there for you when you drop a validator on the page.  As for unit testing, I've stopped (never really started) testing classes that exist in the .NET framework, in other words, I don't test the validators or any other class that Microsoft ships.  I agree with unit testing, however I don't advocate writing a class that does what's already there for you just so that you can write a unit test and point to NUnit and say, "See....Green".

 Your easiest option, not to mention new tech for you to get into would be AJAX, here is a tutorial for you:

http://www.asp.net/learn/videos/view.aspx?tabid=63&id=97

 then if you want to use AJAX you can check out how to get started:

http://www.asp.net/learn/videos/default.aspx?tabid=63

thnx
 

ASP.NET Ajax provide a control of password strength
Please look at the following link

http://www.asp.net/AJAX/AjaxControlToolkit/Samples/PasswordStrength/PasswordStrength.aspx

Example of the above link can be found on http://nayyeri.net/blog/passwordstrength-in-asp-net-ajax-control-toolkit/

Enjoy!

Regards
--
Sheryar Nizar
http://www.sheryar.net

 Can the Ajax Password Strength check for:

• Repeated characters?  Will reject aaBBcc if limit on repeated characters is 1.)
  
• Adjacent characters of the same type? (will reject abc if limit of adjacent of same type is 2)
  
• Be readily unit tested?