now to change CMS editor login password strength? Its too weak.


the content editors can change passwords to aaaaaaaa for exmaple. how do we make it more secure?  Its a DXC instance.

Also, is there a way to block external access to the content area with DXC?  Obvously we have no access to layer 7 firewalls or similar.

I assume both items could be done in code via a custom membership provider, but I am looking for a way to do it via confirmation to avoid the developemnt costs if possible.

Jan 15, 2020 13:54


To answer your first question, it depends on how you're authenticating users. If you're using the membership model via the SQL membership provider you can add a regular expression to your configuration which will be used to validate the complexity of the password. It should just be a matter of adding in an additional attribute called passwordStrengthRegularExpression to the <add name="SqlServerMembershipProvider" node. You can read more about it here and there are plenty of examples of suitable regular expressions online.

If you're authenticating using the newer identity model, I think you'd need to make a code change to enforce specific password requirements.

To answer your second question, again, you can do this through configuration rather than code as described here.

I appreciate that modifying configuration would require a release of the application so may not be what you're looking for but I'm afraid it's the closest I can get to a code-free solution.

Jan 15, 2020 18:33
johnv - Jan 22, 2020 17:47
passwordStrengthRegularExpression gives a regexp, which is great. Any idea how we tell the user what the password criteria is when they fail the regexp?

Hi addin to what Paul already said, have a look at the Episerver CMS security section where there is a complete sample about the Episerver ASP.NET Identity implementation (look at the PasswordValidator).

But I think you are not currently using the Identity implementation as it has default settings of: min length 6 chars (this is the ONLY BAD default settings, Episerver make this 10 characters for example 6 chars is just too short), requires non letter or digit, requires digit, requires lowercase and requires upper case.

And as you most likely are using the SqlMembershipProvider then the default password strength regular expression is empty string => no enforcing happening on the password "quality".

Jan 19, 2020 9:55

Hi John

When your site is hosted in DXC, it is run behind Cloudflare, which includes a free Layer 7 firewall. So you could ask Episerver Service Desk to add a firewall rule that only allows access to /episerver and /util from specific IP adresses. This will not require any deployments of your site, and it would be safer and more efficient than adding a redirect rule to your application.

And for passwords, if you use ASP.Net Identity authentication, you can easily replace the PasswordValidator and UserValidator (for user names) classes and you can specify your own user lock-out rules. But, as Antti writes, you are probably not using ASP.Net Identity authentication since your current solution allows such very simple passwords.

Jan 20, 2020 5:58
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.