How to set password rules for ASP.NET identity?

Question

In my ASP.NET applications I have following settings in DefaultMembershipProvider and SqlMembershipProvider in web.config:

enablePasswordRetrieval=\"true\"
p         


        

Answer 1

You need to provide IPasswordHasher implementation that can provide clear password without hashing. You can set UserManager.PasswordHasher to your implementation.

As of now, there is no web.config configurable settings for Identity. You need to provide appropriate mix of configurable in code, mainly in Startup.cs

It is not recommended to store passwords in clear format.

public class ClearPassword : IPasswordHasher
{
    public string HashPassword(string password)
    {
        return password;
    }

    public PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        if(hashedPassword.Equals(providedPassword))
            return PasswordVerificationResult.Success;
        else return PasswordVerificationResult.Failed;
    }
}