Security is essential to all types of applications, including web applications.
ASP.NET Core Identity provides the pre-built services for creating users, verifying passwords, authorizing users, and signing users in to application. It also provides additional features such as Two-Factor authentication (2FA) and login with Third Party Login Provider and account lockout after too many failed attempts to login.
The default settings
By default, ASP.NET Identity Core sets a default set of validation rules for new passwords:
- Passwords must be at least 6 characters
- Passwords must have at least one lowercase (‘a’-‘z’)
- Passwords must have at least one uppercase (‘A’-‘Z’)
- Passwords must have at least one digit (‘0’-‘9’)
- Passwords must have at least one non alphanumeric character
If you want to change default password validators, like increase the minimum length of Password, allow LowerCase and disable Require Digit in Password, we can add identity to the DI Container in ConfigureServices method of Startup Class.
AddIdentity accept options as part of which allows control over the basic characteristics of what is required for Passwords. Here is a sample AddIdentity.
public void ConfigureServices(IServiceCollection services)
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
options.Password.RequireDigit = true;
options.Password.RequireLowercase = true;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequiredLength = 6;
options.User.AllowedUserNameCharacters = null;
Note: You should also change your new settings in
to enable the new validation on front end.