ASP.NET Core Identity | Change default password restrictions

Changing Password Policy

The password restrictions in ASP.NET Core Identity are strict by default, however you may find yourself wanting to change it to make it easier for you users.

Changing the password policy, consists of modifying the way IdentityRoles are created on startup. You can do this by modifying the code inside the “ConfigureServices” method in the startup class. The process is trivial and will only take you a minute.

Startup.cs

Inside startup.cs, around line 53, you’ll want to extend an options object, using a lambda expression to modify the Password properties. This changes the behavior of IdentityRole using the “AddIdentity” method, for example:

services.AddIdentity<ApplicationUser, IdentityRole>(options => 
    {
        options.Password.RequireDigit = false;
        options.Password.RequireLowercase = false;
        options.Password.RequireUppercase = false;
        options.Password.RequireNonLetterOrDigit = false;
        options.Password.RequiredLength = 7;
    })
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();

Note: In ASP.NET Core RC2, “RequireNonLetterOrDigit” was changed to “RequireNonAlphanumeric.”

Save, and start/restart your application and it will work! You will have to create a new user to test this out.

The ASP.NET Core documentation can be found here, however a the time of writing it is very sparse. The good news is, this uses the same IdentityServer from ASP.NET 4, so that documentation can be supplemented as needed.

Thanks for reading!