Password policy in ASP.NET Identity


By default, ASP.NET Identity requires that passwords must contain an uppercase character, a lowercase character, a digit and a non-alphanumeric character. ASP.NET Identity also requires that passwords must be at least 6 characters long.

If you don't follow these requirements while adding a user, ASP.NET Identity will consider the entered password as invalid.

invalid password error message

This default configuration is defined in the IdentityConfig.cs file.

Custom password policy

In order to implement a custom password policy in ASP.NET Identity, we use the PasswordValidator object.

manager.PasswordValidator = new PasswordValidator
    RequiredLength = 6,
    RequireNonLetterOrDigit = true,
    RequireDigit = true,
    RequireLowercase = true,
    RequireUppercase = true,

RequiredLength The minimum required length of the password
RequireNonLetterOrDigit Require a non letter or digit character in the password
RequireDigit Require a digit ('0' - '9') in the password
RequireLowercase Require a lower case letter ('a' - 'z') in the password
RequireUppercase Require an upper case letter ('A' - 'Z') in the password

In order to define your own validation logic for passwords, go to App_Start > IdentityConfig.cs and override the values of the above properties.