I have an MVC 3 application. There are two zones in the security area. The first is mainly to prevent public access, but not very sensitive information. The strength of the password may be weak, since there is actually not much harm.
The second zone (region) is limited. user must apply for access. If a user gains access, he gains a specific role. Thus, each controller method authorizes the user based on this role.
I want these users to have to change their password to a strong password the next time they log in, before they can continue to access limited content.
Example:
User A is used for access. Access granted. The password policy for this user is changed as long as he has access. They must change their password the next time they log in, and they will not be able to change the response to a weaker password if they have this role.
Is there a safe way to implement this using ASP.NET?
Update
I actually used the solution proposed by Chris and it works, but for processing the verification of the password itself, I really got inspiration from the proposed Micah solution. However, it turns out that redefining MemberhipProvider.OnValidatingPassword also involves executing 10+ abstract methods that I really don't need to solve this problem.
The best decision in my eyes was tied to membership. ValidatingPassword EVENT. I make this hotel App_Start, then I implement my own password check in the event handler, and this solved my problem.
Just to share a solution with you, I present it here, toghether with Chris's solution, this solved my problem and hopefully for someone else:
void App_Start() { //To do custom validation on certain passwords set new event handler Membership.ValidatingPassword += Membership_ValidatingPassword; } private void Membership_ValidatingPassword(object sender, ValidatePasswordEventArgs e) { //If the user is a new user, we let registration happen without strong password if (e.IsNewUser) return; MembershipUser membershipUser = Membership.GetUser(e.UserName); Guid userId = Guid.Parse(membershipUser.ProviderUserKey.ToString()); //First check if the pwd is strong enough to be flagged, if so we flag it //using regex to validate the password (20 char, 2 uppercase so on) if (MyValidationClass.IsStrongPassword(e.Password, 20, 2, 4, 1)) { //if the user does not already have a flag we set one MyValidationClass.SetStrongPasswordFlag(userId); } else { //If the user needs strong pwd, we cancel the operation and throw exception if (MyValidationClass.NeedsStrongPassword(e.UserName)) { e.FailureInformation = new MembershipPasswordException("Password does not satisfy reqirements!"); e.Cancel = true; } else { MyValidationClass.RemoveStrongPasswordFlag(userId); } } }