.NET C# code for simple password complexity checking and preventing use of well known passwords!

Allot of developers do not pay much attention when creating password reset logic. This infarct should be well thought off as you only need to do it once and update periodically if necessary.

As developers it is our responsibly to force users to use good passwords.

It is easy to find dictionaries of common passwords and brute forcing speeds and techniques have ten folded ins speed over the years. In on-line security it is important to at least keep this standard.

  • Minimum password length of 8 characters
  • Limit login and reset attempts to something like 10 an hour
  • Log and email yourself if somebody locks their account more than 3 times a day - this is a strong indication of brute force attack
  • Do not allow users to use stupid passwords! Instead suggest user a password with mixed characters and case right there on the form. (and make it easy to use)
  • Try to uses existing authorization engines -like SimpleMembership in .NET MVC which encrypts and salts passwords, uses anti forgery tokens and implements methods to safely change passwords and verify no body tampered with the requests.
Here is some code in C# I banged together to least address some basic issues. My username is an email address so I split it up and check the local part of it against the password that was used too.

I did not use regex because using Contains is fast enough and I am not comparing passwords to a megabyte (you can find a file that contains 77,000 most commons passwords - using regex is recommended on such a size) As password resets are not a core functionality we do not need to micro manage it. 

public static string ComplexityCheck(Models.PasswordReset passwordReset)
            string pw = passwordReset.ConfirmPassword;
            string un = passwordReset.Account;
            //Account name as password?
            string unLocal = un.Split('@')[0];
            if (pw.Contains(unLocal))
                return "Your password cannot contain your account name.";
            //Any canonical account name included in password?
            string[] unParts = unLocal.Split('.''-''_''!');
            foreach (string unp in unParts){
                if (pw.Contains(unp)){
                    return "Your password cannot contain parts of your account name.";
            //Words i found in public dictionaries used for brute force attacks atleast 8 characters and as listed worst passwords on CNN
            //Anything that matches or contains these are a vulnerability threat
            string[] bannedPasswords = new string[] {
 //well known and should be avioded no matter what(not even contain these)
"ninja","111111","letmein","123456","iloveyou ","trustno1",
 //'jesus' is well known but we cannot ban Jesus!
            foreach (string banned in bannedPasswords)
                if (pw.Contains(banned))
                   return "'" + banned + "' is not allowed to be used within your password.";
            return "";

There are several features missing.
  • At least n amount of upper case or mixed characters
  • I set my minum to 8 in my models so I do not recheck it here
  • No clever way to detect repeated characters 
  • Others that I might add later...
On my password reset page I suggest users to use a specific password and with a bit of jqeury i pop it into the password fields automatically. Just copy the text and save it to keeps or another place you keep your passwords.   As soon as a user clicks use this password it is hidden. And, so what if other people can see the password? Can you memorize "*yH%hd&Sd" in a blink of eye? I can't. 
Banter ...

We will never get rid of bad habits like writing down the password on your monitor or archive it in emails but at least we can protect our sites from simple hacking that can cause tremendous grief
. Since the Internet started we were conditioned to use the same password across various sites. 

We need to condition people now that a password should be treated like a key to their house or car. You won't just leave it lying around anywhere and you do not want people snooping around your property. We cant avoid getting broken into but we can make it more difficult by raising the security.

Today information is worth more than many precious metals. If somebody can gather enough information about you by logging into your facebook, linkedin, google, msn and various other sites using the same password- They essentially become you! 

The only person I like being me - is myself! And I would never sell my details to dodgy spammers!