How can i configure Litium Password Policy?

Questions
1

What options do I have to modify this tag in web.config?

<passwordPolicy lockoutCount="-1" lockoutSeconds="300" expirePeriodInDays="-1" complexityRule="false" lengthRule="false" />

Litium version: 6

2

The following options are avaliable:

  • Litium:PasswordPolicy:LockoutCount (int)
  • Litium:PasswordPolicy:LockoutSeconds (int)
  • Litium:PasswordPolicy:RequireUppercase (bool)
  • Litium:PasswordPolicy:RequireDigit (bool)
  • Litium:PasswordPolicy:RequireLowercase (bool)
  • Litium:PasswordPolicy:RequireNonLetterOrDigit (bool)
  • Litium:PasswordPolicy:RequiredLength (int)
3

I just tried this in a solution implemented in Litium 7.2.0 and the only attribute that seems to work is RequiredLength.
This is my config:
<passwordPolicy lockoutCount="-1" lockoutSeconds="300" expirePeriodInDays="-1" complexityRule="false" lengthRule="true" RequireUppercase="true" RequreLowercase="true" RequireDigit="true" RequireNonLetterOrDigit="false" requiredLength="6" />

But I can choosse a password with e.g. just lowerCase chars. Is my config correct?

4

It looks correct, please submit this as a bug report. Se correct answer below

1 Like
5

Itā€™s not a bug.

In the web.config-section you canā€™t set all the options and instead you need to use the appSettings key/value with the options that you have in the solution-answer if you want to make more fine-granted changes.

1 Like
6

To clarify a bit after investigationā€¦

In the passwordPolicy-element in web.config you can only define the values already there:

<passwordPolicy lockoutCount="-1" lockoutSeconds="300" expirePeriodInDays="-1" complexityRule="false" lengthRule="false" />

Details on these options can be found on docs (see the password policy section).

The passwordPolicy element settings are then used by Litium to set values to the following options:

Litium:PasswordPolicy:LockoutCount (int)
Litium:PasswordPolicy:LockoutSeconds (int)
Litium:PasswordPolicy:RequireUppercase (bool)
Litium:PasswordPolicy:RequireDigit (bool)
Litium:PasswordPolicy:RequireLowercase (bool)
Litium:PasswordPolicy:RequireNonLetterOrDigit (bool)
Litium:PasswordPolicy:RequiredLength (int)
  • If ComplexityRule=true then the following options are set to true: RequireNonLetterOrDigit, RequireDigit, RequireLowercase, RequireUppercase
  • If LengthRule=true then RequiredLength is set to 6

And IF you need to be more granular in your setup, for example require a password to be at least 10 characters, you can add the specific option as an appSetting in Web.config:

<appSettings>
  <add key="Litium:PasswordPolicy:RequiredLength" value="10" />
  ...
2 Likes
7

Thank you both of you for ur answers.

@marten the correct key for lower case is Litium:PasswordPolicy:RequireLowercase, it is missing an ā€˜iā€™ in your answer :slight_smile:

2 Likes