PasswordSecurityMeter custom control

• Download source - 54.8 Kb

Introduction

Lately I was registering on UK’s eBay website and I found an interesting control which shows how strong a user’s password is. The idea appeared interesting to me and I decided to create a simple ASP.NET custom control which will provide that functionality.

Background

User’s passwords are one of the basic security problems. From one side, we want systems to be secure and it requires password to be strong, but from the other side, there are users who don’t have appropriate knowledge and don’t want to remember complicated passwords. The simple solution for secure passwords is to use letters (mixed upper and lower-case), digits and special characters (like #[]!$%^&*). Password also must have appropriate length (minimum 6 characters but more is better). Knowing that, we can simply change the weak password mariusz to a strong one MariusZ#30. But we – developers – must remember that it’s our duty to show users, and help them, how to create a strong password.

The control

OK, let’s see what’s going on…

First – the engine. Basically, we need to check the password’s length (must be longer than minimum, let’s say 6 characters, but good if it’ll have at least the recommended length – 9 characters). Next - we verify that the password doesn't contain illegal phrases (like company name or phrases from login email), or consecutive or same characters. The last stage is to check if password contains letters and digits and special characters. This is implemented in the CalculateSecurityLevel (see line 329; PasswordSecurityMeter.cs file) procedure as also in the rendered JavaScript code (see line 162; PasswordSecurityMeter.cs file).

A little about the control’s designer

As you can see, I’ve created the control’s designer (PasswordSecurityMeterDesigner class). Designers are used to provide the control’s rendering during design-time. In this case, the designer provides simple properties checking, and when values are not correctly set, an appropriate message is rendered.

The designer class should derive from ControlDesigner class and should implement GetDesignTimeHtml procedure (see line 17; PasswordSecurityMeterDesigner.cs file). As you can see, I’m checking if the property PasswordControlName has been set and, when render mode Image is selected, if ImagesNamePattern property has been set.

To use the designer with the control, you must set the Designer attribute for the control’s class (see line 13; PasswordSecurityMeter.cs file).

Using the code

I assume that you know how to compile and install a custom control in Visual Studio .NET (if not, please read this article on MSDN). To use the control, simply drag it to the web form and set the property PasswordControlName - this is the name of control which keeps the user’s password. Additionally, you can set these properties:

• MinPasswordLength – minimum password length
• MaxPasswordLength – maximum password length
• GoodPasswordLength – this determines how many characters a good password should have. If a password has at least that number of characters, one level point is added.
• EMailControlName – name of the control where user can specify email. This prevents users before using in password phrases from email address which can be used as login.
• RenderMode - select rendering mode (as an Image or as a Table).
• ImagesNamePattern – you must specify this property when RenderMode is Image. Simply type the image's name pattern, putting {0} instead of security level number, for example: images/blue_securityLevel{0}.gif. In this example, you have six images in the images directory (blue_securityLevel0.gif, blue_securityLevel1.gif, … , blue_securityLevel5.gif).

History

• 30/06/2005 - After a while (a long while), I finally wrote an article. Don’t know why, but it always takes a time :(
• 04/05/2005 - I wrote the control’s code and decided to write an article.

To Do:

• implement property which will allow the user to enter a list of prohibited words (like company name).
• implement property which will allow the user to set colours for rendered table.
• implement dynamic images render.
• implement “Hint & Tips” which will help a customer to create more stronger passwords.