Validating User Passwords in SharePoint 2010

I recently wrote a user self-registration solution for SharePoint 2010. As part of this solution, I needed to validate the requested password to ensure that it met the requirements of the authentication provider (in this case, Active Directory).

The code, while hardly rocket science, is something I do not want to figure out again. So I thought I would post it here for my own benefit. If anyone else finds it useful, that’s cool, too!

I wanted to validate that the password met various requirements from the AD policy:

  1. 1. Length
  2. 2. Complexity (contains a combination of lower case, upper case, digits, and special characters.
  3. 3. Content (does not contain all or part of user name)

I did not need to check against old-passwords to prevent repetition, since this solution is creating new users.

Checking for length is blatantly obvious, so I won’t bother showing that.

For complexity, the default AD policy is as follows:

“Passwords must contain characters from three of the following four categories:

  1. English uppercase characters (A through Z).
  2. English lowercase characters (a through z).
  3. Base 10 digits (0 through 9).
  4. Non-alphabetic characters (for example, !, $, #, %).”

This is pretty simple to do. In fact there are several ways to do it, depending on whether you want to use regular expressions, built-in methods of the string class, etc.

  1. For digits and special symbols, I simply created character arrays for those two groups, and used the string class’ IndexOfAny method.
  2. I could have done the upper and lower case the same way, but I decided to take a different approach (just for variety). For a string S, if S==S.ToLowerCase(), then S contains no uppercase letters. Similarly for uppercase.
  3. Having determined the presence of the 4 classes of characters, I can then simply add up the number of character classes found.

So, code I have used for these conditions is:

The next interesting part was the content check. To check that no more than 2 consecutive letters of the user name or full name are used in the password, I iterate over the username, taking three-character substrings, and checking to see if the password contains them. This is then repeated for the full name. If any of the substrings is found, then the password fails:

   1: protected bool PasswordComplexityValidation(string UserName, string FullName, string Password)

   2: {

   3:     char[] digits = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' };

   4:     char[] symbols = { '~', '!', '@', '#', '$', '%', '^', '&', '*', '_', '-', '+', '=', '`', '|', '\\', '(', ')', '{', '}', '[', ']', ':', ';', '"', '<', '>', ',', '.', '?', '/' };


   6:     bool blnHasDigits = (Password.IndexOfAny(digits) != -1);

   7:     bool blnHasSymbols = (Password.IndexOfAny(symbols) != -1);

   8:     bool blnHasUpperCase = !(Password.Equals(Password.ToLower()));

   9:     bool blnHasLowerCase = !(Password.Equals(Password.ToUpper()));


  11:     int conditionsMet = 0;


  13:     if (blnHasDigits)

  14:         conditionsMet++;


  16:     if (blnHasSymbols)

  17:         conditionsMet++;


  19:     if (blnHasUpperCase)

  20:         conditionsMet++;


  22:     if (blnHasLowerCase)

  23:         conditionsMet++;


  25:     return (conditionsMet > 2);

  26: }

That is about it. I make no representations that this is the best way of validating passwords, or even the best. This is just what I thought up over the weekend!

   1: protected bool PasswordContentValidation(string UserName, string FullName, string Password)

   2: {

   3:     // Check that password does not contain a large part of the UserName or Full Name


   5:     bool blnIsValid = true;


   7:     // Check if password contains a 3 character substring from the username

   8:     for (int i = 0; i < (UserName.Length - 3); i++)

   9:     {

  10:         string substring = UserName.Substring(i, 3);

  11:         if (Password.Contains(substring))

  12:         {

  13:             blnIsValid = false;

  14:             break;

  15:         }

  16:     }


  18:     // Do the same for 3-character substrings from the Full Name, but only if the password is not already invalid

  19:     if (blnIsValid)

  20:     {

  21:         for (int i = 0; i < (FullName.Length - 3); i++)

  22:         {

  23:             string substring = FullName.Substring(i, 3);

  24:             if (Password.Contains(substring))

  25:             {

  26:                 blnIsValid = false;

  27:                 break;

  28:             }

  29:         }

  30:     }

  31:     return blnIsValid;

  32: }


I have been working in the world of technology for 25-odd years. I am an entrepreneur and consultant, focused on software solutions, social networking, and innovation processes. Currently, I am a Principal Consultant with T4G Limited, specializing in Portal Technologies (including SharePoint), software/systems development, service oriented architectures, and many other things which I will probably not remember until I need to use them. Prior to that, I was VP of Technology at Whitehill Technologies, Inc., where I spent almost 9 years helping to grow the company from a start-up to one of the most successful private software companies in Canada. Prior to that I worked on internet conferencing using early VoIP, and on large military communications projects. Before even that, I worked in satellite control, and remote sensing. Going way back to university, my focus was on theoretical physics and astrophysics. Currently my interests revolve around most aspects of software development, from technologies to management, and in the area of defining sustainable, repeatable processes for innovation within technology organizations. I also have a particular interest in Tablet PC technologies – I have been using one for several years, and I love it. On the personal side, I still have a strong interest in all aspects of science, especially physical sciences, as well as philosophy and comparative religion. In addition, I am into music, playing guitar (badly, I am sorry to say), and reading almost anything I can lay my hands on. I am also a member of the IEEE/IEEE Computer Society, and of the Association for Computing Machinery.

Tagged with: , , , , ,
Posted in SharePoint 2010, Software Development

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Obligatory Disclaimer
Please keep in mind that any opinions, points-of-view, comments, or other content which I post to this site are mine and mine alone. They in no way reflect the views of my employer, my country, my dog, my cat, or anyone else you can think of. To paraphrase Monty Python, "That is the theory that I have and which is mine, and what it is, too."

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 623 other followers

%d bloggers like this: