I am working on an existing ASPNet MVC project adding a "Forgot Password" feature and as I was configuring the PasswordValidator, I was wondering how this will affect existing production users if I make any changes.
//Configure validation logic for passwords
manager.PasswordValidator = new PasswordValidator
{
RequiredLength = 6,
RequireNonLetterOrDigit = false,
RequireDigit = false,
RequireLowercase = false,
RequireUppercase = false,
};
This is how the PasswordValidation was configured before. If I make changes to make the validator more strict, will this affect existing production users who already have more "loose" of a password?
In .NET, Passwords are only validated during their creation. Once created, if you change the validation rules, passwords stored in your data store will not be re-validated against the new rules until the user goes to change it again. At the very least, passwords are encrypted in your data store. Depending on the security settings, passwords may be hashed. Hashed passwords cannot be retrieved to be re-validated (only the hashes can be compared). Additionally decrypting the passwords and re-validating them would be a huge processing drag and potential security hole. .NET does not do this. You don't have to worry about this change affecting existing production users.