password validation for createuserwizard

I am using the createuserwizard but password validation is not working. I am using a regular expression to check for strong passwords, but new users can enter weak passwords without generating an error.
register.aspx
Mark KleinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Deepak LakkadCommented:
Hi,

I think you have to use little Javascript to validate strong password.

try following link for that

http://www.codeproject.com/Tips/386385/Strong-Password-Validation

- Deepak Lakkad
0
Mark KleinAuthor Commented:
While your suggested method will likely work, I don't think it is necessary or the only way.  I am trying to stay within the methodology of the Visual Studio CreateUserWizard and your suggested solution does not.
0
Deepak LakkadCommented:
Hi

Yes, You are right that there is not only this way of doing your work.

But I had put a solution for you ...

It is up to you that you are using it or not?

- Deepak Lakkad
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Mark KleinAuthor Commented:
Deepak, I appreciate your suggestion.  My difficulty is that I'm a newbie, an old geezer returning to programming after 50 years away. While I have picked up some javascript skills, I am unfamiliar with web methods and ajax.  That's why I'm using the createuserwizard that's part of VS.
Take a look at my website at www.lucidequipment.com and see the registration code.  That section accepts passwords that don't meet the Sql Server policy requirements, but creates the users nevertheless, causing me big problems.

--Mark
0
Deepak LakkadCommented:
Hi Mark,

Nice work,

I will check for the solution and given it to you. But, for that you have to wait for a day ...

- Deepak Lakkad
0
Mark KleinAuthor Commented:
much appreciated, Deepak.  A faster version is at 54.235.245.110, but I have not yet switched the DNS to the new site.
0
Mark KleinAuthor Commented:
Here's the latest version of the code.  I have regular expressions in two places; only one should be needed.  Also, I've removed explicit ValidationGroup properties and are using the default b/c I saw some references to these causing execution problems.
 <asp:CreateUserWizard ID="NewUserWizard" runat="server" 
        passwordregularexpression='@\"(?:.{8,})(?=(.*\d){1,})(?=(.*\W){1,})'
        passwordregularexpressionerrormessage="Your password must be at least 8 characters long, and contain at least one number and one special, non-alphanumeric character."   
        ContinueDestinationPageUrl="~/default.aspx" BackColor="#F7F6F3" 
        BorderColor="#E6E2D8" BorderStyle="Solid" BorderWidth="1px" align="center"
        Font-Names="Verdana" Font-Size="0.8em" AutoGeneratePassword="True">
        <ContinueButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
            BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
            ForeColor="#284775" />
        <CreateUserButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
            BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
            ForeColor="#284775" />
        <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" ForeColor="White" />
    <WizardSteps>
        <asp:CreateUserWizardStep runat="server" >
            <ContentTemplate>
                <table style="font-family:Verdana;font-size:100%;" align="center">
                    <tr>
                        <td align="right" colspan="2" 
                            style="color:White;background-color:#5D7B9D;font-weight:bold;">
                            Sign Up for Your New Account</td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">User Name:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:TextBox ID="UserName" runat="server" ToolTip="Pick a user name"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="UserNameRequired" runat="server" 
                                ControlToValidate="UserName" ErrorMessage="User Name is required." 
                                ToolTip="User Name is required.">*</asp:RequiredFieldValidator>
                        </td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:RegularExpressionValidator 
                                ID="RegularExpressionValidator1" runat="server" 
                                ControlToValidate="Password"
                                validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
                                ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character.">
                            </asp:RegularExpressionValidator>
                            <asp:TextBox ID="Password" runat="server" Tooltip="Must be at least 8 characters long and must include at least 1 non-alphanumeric character such as @, #, $, %, &" TextMode="Password"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="PasswordRequired" runat="server" 
                                ControlToValidate="Password" ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character."   
                                ToolTip="Password is required.">*</asp:RequiredFieldValidator>
                             </td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="ConfirmPasswordLabel" runat="server" 
                                AssociatedControlID="ConfirmPassword">Confirm Password:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:TextBox ID="ConfirmPassword" runat="server" TextMode="Password"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="ConfirmPasswordRequired" runat="server" 
                                ControlToValidate="ConfirmPassword" 
                                ErrorMessage="Confirm Password is required." 
                                ToolTip="Confirm Password is required.">*</asp:RequiredFieldValidator>
                        </td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="EmailLabel" runat="server" AssociatedControlID="Email">E-mail:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:TextBox ID="Email" runat="server"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="EmailRequired" runat="server" 
                                ControlToValidate="Email" ErrorMessage="E-mail is required." 
                                ToolTip="E-mail is required.">*</asp:RequiredFieldValidator>
                        </td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="QuestionLabel" runat="server" AssociatedControlID="Question">Security Question:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:TextBox ID="Question" runat="server" ToolTip="For example, 'favorite team'"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="QuestionRequired" runat="server" 
                                ControlToValidate="Question" ErrorMessage="Security question is required." 
                                ToolTip="Security question is required.">*</asp:RequiredFieldValidator>
                        </td>
                    </tr>
                    <tr>
                        <td align="right">
                            <asp:Label ID="AnswerLabel" runat="server" AssociatedControlID="Answer">Security Answer:</asp:Label>
                        </td>
                        <td align="right">
                            <asp:TextBox ID="Answer" runat="server"></asp:TextBox>
                            <asp:RequiredFieldValidator ID="AnswerRequired" runat="server" 
                                ControlToValidate="Answer" ErrorMessage="Security answer is required." 
                                ToolTip="Security answer is required.">*</asp:RequiredFieldValidator>
                        </td>
                    </tr>
                    <tr>
                        <td align="right" colspan="2">
                            <asp:CompareValidator ID="PasswordCompare" runat="server" 
                                ControlToCompare="Password" ControlToValidate="ConfirmPassword" 
                                Display="Dynamic" 
                                ErrorMessage="The Password and Confirmation Password must match.">
                            </asp:CompareValidator>
                            <regularexpressionvalidator
                                ID="passwordValidator" runat="server" controltovalidate="Password"
                                text="improper password"
                                validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
                                ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character." >
                            </regularexpressionvalidator>
                       
                        </td>
                    </tr>
                    <tr>
                        <td align="right" colspan="2" style="color:Red;">
                            <asp:Literal ID="ErrorMessage" runat="server" EnableViewState="False"></asp:Literal>
                        </td>
                    </tr>
                </table>
            </ContentTemplate>
        </asp:CreateUserWizardStep>
        
        <asp:WizardStep ID="chooseRoleName" runat="server" StepType="Step" 
            Title="Choose Role">
            <asp:DropDownList ID="DropDownChooseRole" runat="server" 
                DataSourceID="LinqDataSource1" DataTextField="RoleName" 
                DataValueField="RoleID" AutoPostBack="True">
            </asp:DropDownList>
        </asp:WizardStep>
        <asp:CompleteWizardStep runat="server" />

    </WizardSteps>
        <HeaderStyle BackColor="#5D7B9D" BorderStyle="Solid" Font-Bold="True" 
            Font-Size="0.9em" ForeColor="White" HorizontalAlign="Center" />
        <NavigationButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
            BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
            ForeColor="#284775" />
        <SideBarButtonStyle BorderWidth="0px" Font-Names="Verdana" ForeColor="White" />
        <SideBarStyle BackColor="#5D7B9D" BorderWidth="0px" Font-Size="0.9em" 
            VerticalAlign="Top" />
        <StepStyle BorderWidth="0px" />

</asp:CreateUserWizard>

Open in new window

0
CodeCruiserCommented:
Does it make any difference if you move the regexvalidator to after the textbox declaration?
0
Mark KleinAuthor Commented:
I have tried it in several places w/o any effect
0
CodeCruiserCommented:
And does it work if you remove the required field validator?
0
Mark KleinAuthor Commented:
Haven't tried that.  My understanding is the the RequiredFieldValidator (which is working) checks to see that the field is not empty.  The RegularExpressionValidator checks to see if the entered string matches (in this case) the requirements of the password policy.
0
Deepak LakkadCommented:
Hi,

You can use multiple RegularExpression to validate Password.

I was looking for a solution for your query and find one link which had use above mentioned concept.  Please refer it.

http://www.informit.com/articles/article.aspx?p=101137&seqNum=3


Refer "Listing 3.6 RegularExpressionValidatorPassword.aspx" section on above link

I am sure, It will be helpful to you ...

- Deepak Lakkad
0
Mark KleinAuthor Commented:
Deepak, thanks for your efforts and help.
I'm sure you looked at my code and saw that I am already using a regular expression--just one, not multiple ones.  Perhaps the multiple expression that I am already using is incorrect.  I'll go back and look at that.

However I suspect that problem is not in the regular expression. The createuserwizard properly traps several errors such as missing entries or previously used email addresses (that error may be coming from the Sql Server Membership table). It traps a 'confirm password' that doesn't match the originally entered password, so it must be using a confirm validator behind the scenes.  It's just not using a regular expression validator on the password.

I'll change the regular expression to something really simple that just checks the length of the password to see if that fires.  But one key question is exactly what fires the validators.  In the code example you reference, there is a script, presumably running in the code-behind file, that does the work, presumably.  For my app, I assume (dangerous, I know) that the 'create user" button at the bottom of the form does the equivalent job.  My code-behind file, attached, has nothing about this.

I'm going to simplify the regular expression now to see if it fires at all.
register.aspx.vb
0
Mark KleinAuthor Commented:
Visible progress!

"visible" is the key word.  I still have just one regular expression, but I changed the Display property from the default to 'Dynamic' and the entry is validating.  I still have other problems, but stay tuned.
0
Mark KleinAuthor Commented:
Some kind of validation is happening within the createUserWizard, but I can't find the validator. The error message is "

Password length minimum: 7. Non-alphanumeric characters required: 1.

Now I've got a regular expression validator on the registration page with an error message, and another regex in web config, but nowhere do I have that error message.  Maybe it's coming from the Membership provider table in my Sql Server db.

Regardless, I can't seem to create a user b/c I can't get the password validated.  Help, please.
0
Mark KleinAuthor Commented:
Some progress:
The unknown error message is, I believe, auto-generated from settings in the Membership section of web.config file. I have adjusted that file, including setting the regex for passwordstrengthregularexpression to null.  Now I can create a login w/o getting errors if I meet the requirements--7 or more chars, 1 non-alpha--that I've set.

However I am back to where I started w/ login problems.  See my still open question about creating a login and then not being able to use it. The Membership table shows a valid, not locked out user, but I get a password error when attempting to login.
0
Mark KleinAuthor Commented:
This is still broken, but the error is easily repeated, very consistently.  Here are the steps to replicate the problem:
1. go to the website at 54.235.245.110 and register as a new user
2. After registration, I have LoginCreatedUser set to false fpr debugging convenience, so you are logged out.Try to login to your newly created account with the password you created.
3. Login fails.  This is the error I am trying to fix.
4. Ask for a new password, which will come to you by email.  Use it to log into the app, which will work.
5. Once you are logged in, use the Change Password button on upper Right to reset your password to the one you originally used, but now not working.
6. Log out, then log back in with original password.  It now works.
0
Mark KleinAuthor Commented:
Now that my app is public and available for test at 54.235.245.110, and that the steps to replicate the problem consistently are posted in the previous comment, I itemize here the three places that I've found where the password might be validated:
1. In the CreateUserWizard properties, where there are two pertinent properties:
passwordregularexpression='@\"(?:.{8,})(?=(.*\d){1,})(?=(.*\W){1,})'
 passwordregularexpressionerrormessage="Your password must be at least 8 characters long, and contain at least one number and one special, non-alphanumeric character."   

Open in new window

2. Using a regex validator in register.aspx:
<regularexpressionvalidator
                                ID="passwordValidator" runat="server" controltovalidate="Password"
                                text="improper password"
                                validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
                                ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character." >
</regularexpressionvalidator>

Open in new window


3. In the web.config code, in the Membership section
 <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="45">
      <providers>
        <clear/>  
        <add 
          connectionStringName="lucidequipmentConnectionString" 
          applicationName="Website3"
          enablePasswordRetrieval="false" 
          enablePasswordReset="true" 
          requiresQuestionAndAnswer="true"
          requiresUniqueEmail="true" 
          passwordFormat="Hashed"
          minRequiredPasswordLength="8"
          minRequiredNonalphanumericCharacters="1"
          passwordStrengthRegularExpression='@\"(?:.{7,})(?=(.*\d){1,})(?=(.*\W){1,})'
          name="SqlProvider" 
          type="System.Web.Security.SqlMembershipProvider"
          />
      </providers>
    </membership>

Open in new window


I have been experimenting with each of these sections, but have no real idea which ones take priority. The regex validator has the most immediate control over user input. My Sql Server db with the Membership table (and the whole app) are hosted on Amazon Web Services.  I'm not even sure of the SS password policy, but have been entering strong passwords with multiple character types.  Regardless, the register app is not working.
0
Mark KleinAuthor Commented:
this was eventually solved by posing another question.  See

http://www.experts-exchange.com/Programming/Languages/.NET/Visual_Basic.NET/Q_28246148.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark KleinAuthor Commented:
never solved, needed to restate
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.