Crazy Password Requirements for users

Hello there


I have just installed this web part in order to start using a form application login, I was able to create users. However there seems to be some hard coded byzantine password requirement. I even tried a 10 character password and it did not accept it. It seems to need something on the complexity of an email address. I thought that the user creation just totally wasnt working, untill i tried a password like '' which actually did work!


So do passwords need to have a @ sign in them or what? I am of the opinion that password requirements are ALWAYS a bad idea and lead to users simply writing down their passwords. Is this configurable? if so where? Also it would be nice if the form actually told you this is why it was failing as opposed to "Object reference not set to an instance of an object." which makes no sense to anyone!


I am going to take a look around the discussion area, but so far the closest answer i found says something like " i have changed my web.config  to have users passwords with only 8 characters and no nonalphanumeric characters." So i gather that i can change a web.confg file somewhere to do this. I did a search  for "password" in the web.config under the virtual directory for my site, but it didnt come up with anything besides the parameters to connect to the database.


How do I edit the "PasswordPolicy" ? anyone know




The password complexity is set by the membership provider, which you configure in the web.config (just edit the entries you made when configuring SharePoint for FBA).  The FBA Pack just uses whatever is configured.

There's more info on configuring the membership provider here:

Here's the options you'll be interested in - the minimum password length (defaults to 7) and minimum number of non-alphanumeric characters (defaults to 1 - which is why you needed to put the @ character to get a valid password):


Ok, that seems pretty straight forward.


I have added the two strings to APPLICATION_ROOT\web.config however minRequiredNonAlphanumericCharacters="0" does not work and makes the site display errors - you cannot browse to the site.  minRequiredPasswordLength="4" however does work, as long as one of those 4 is an @ sign, or other nonalpha char. Relevant lines of web.config are pasted in below. As pasted, the site does not work - does not load. However, if you simply remove the alphacharacters variable, then it all works fine. So maybe I have a synatx error? i also tried ="" and =" ", and even ="1" but it didnt matter.  Site does not load with 403 errors.


<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" minRequiredPasswordLength="4" minRequiredNonAlphanumericCharacters="0" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Maybe I am not editing the right file? I know I had to edit 3x web.config files web application, central administrator and "STS". Otherwise I would say that that connection string variable is not useable.

Anyone have any working code I can compare too? maybe its the order of variables or something like that. I am not a programmer!


thanks for the help anyways ccoulson!


gosh darn it!!!



works fine. Seems the command is case sensitive. (note the lower case a in the working command.) MS really needs to update its documentation regarding that!

Thats why i personally hate programming, its always some mundane little detail!

arggg works now. thanks.


this example provided correct syntax: