.NET Tip: Creating a Password-Checking Function

As much as I hate having to remember a password for every Web site I visit, password security is one of the easiest ways to tighten access to any application. Password security can have complexity rules, such as length or character type, expiration, or remembering previous passwords so the user is forced to create a brand new password.

The function this tip provides will let you check a password against a set of rules, as well as a set of previously used passwords. The function uses a parameter array for the list of passwords, as well as a flag enumeration to make it easier to specify which rules to enforce.

The first part of the code is an enumerated type called PasswordRules:

[Flags]
public enum PasswordRules
{
   /// <summary>
   /// Password must contain a digit
   /// </summary>
   Digit = 1,
   /// <summary>
   /// Password must contain an uppercase letter
   /// </summary>
   UpperCase = 2,
   /// <summary>
   /// Password must contain a lowercase letter
   /// </summary>
   LowerCase = 4,
   /// <summary>
   /// Password must have both upper and lower case letters
   /// </summary>
   MixedCase = 6,
   /// <summary>
   /// Password must include a non-alphanumeric character
   /// </summary>
   SpecialChar = 8,
   /// <summary>
   /// All rules should be checked
   /// </summary>
   All = 15,
   /// <summary>
   /// No rules should be checked
   /// </summary>
   None = 0
}

Note the [Flags] entry at the top of this enumeration. It indicates that the values can be used as binary flag values. Each value (except for 6 and 15) is a power of 2, and 15 is a combination of 1, 2, 4, and 8. By using this model, you can check whether a flag is set using binary operators. Here's the function that uses these flags:

public static bool IsPasswordValid(string password,
                                   PasswordRules rules,
                                   params string[] ruleOutList)
{
   bool result         = true;
   const string lower  = "abcdefghijklmnopqrstuvwxyz";
   const string upper  = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   const string digits = "0123456789";
   string allChars     = lower + upper + digits;

   //Check Lowercase if rule is enforced
   if(Convert.ToBoolean(rules & PasswordRules.LowerCase))
   {
      result &= (password.IndexOfAny(lower.ToCharArray()) >= 0);
   }

   //Check Uppercase if rule is enforced
   if(Convert.ToBoolean(rules & PasswordRules.UpperCase) )
   {
      result &= (password.IndexOfAny(upper.ToCharArray()) >= 0);
   }

   //Check to for a digit in password if digit is required
   if(Convert.ToBoolean(rules & PasswordRules.Digit))
   {
      result &= (password.IndexOfAny(digits.ToCharArray()) >= 0);
   }

   //Check to make sure special character is included if required
   if(Convert.ToBoolean(rules & PasswordRules.SpecialChar))
   {
      result &= (password.Trim(allChars.ToCharArray()).Length > 0);
   }

   if (ruleOutList != null)
   {
      for(int i = 0; i < ruleOutList.Length; i++)
         result &= (password != ruleOutList[i]);
   }

   return result;
}

Each test does a binary AND on the rules value and the flag in question. If the test comes back true, the rule is checked and the result is ANDed together with the previous tests. The final test checks the other passwords that were passed to the function to see whether the new password matches any of them. If it matches, the test fails.

Although this function doesn't have any error messages, you easily could return an array of strings with the particular errors or tests that failed. You also can use the flag enumeration for other similar functions. I also use it to specify validation rules for fields, and there are many other options for using this C# feature.

About the Author

Eric Smith is the owner of Northstar Computer Systems, a Web-hosting company based in Indianapolis, Indiana. He also is a MCT and MCSD who has been developing with .NET since 2001. In addition, he has written or contributed to 12 books covering .NET, ASP, and Visual Basic. Send him your questions and feedback via e-mail at questions@techniquescentral.com.



Comments

  • Additional Functionality

    Posted by davidmknoble on 10/04/2006 03:54pm

    Overloaded methods could be added for IsPasswordValid that include an integer indicating the number of digits that must be included. The test can be used by comparing this with the result of an InStr function. Also a function for the required minimum length of the password could be added.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: November 20, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT Are you wanting to target two or more platforms such as iOS, Android, and/or Windows? You are not alone. 90% of enterprises today are targeting two or more platforms. Attend this eSeminar to discover how mobile app developers can rely on one IDE to create applications across platforms and approaches (web, native, and/or hybrid), saving time, money, and effort and introducing apps to market faster. You'll learn the trade-offs for gaining long …

  • Live Event Date: October 29, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you interested in building a cognitive application using the power of IBM Watson? Need a platform that provides speed and ease for rapidly deploying this application? Join Chris Madison, Watson Solution Architect, as he walks through the process of building a Watson powered application on IBM Bluemix. Chris will talk about the new Watson Services just released on IBM bluemix, but more importantly he will do a step by step cognitive …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds