RequireNonLetterOrDigit does not allow to use letters and digits

[JGrzybowski]

I used ASP.NET 5 MVC6 Project Template with User Authentication, changed default password requirements to:

o.Password.RequireDigit = false;
o.Password.RequireLowercase = true;
o.Password.RequireUppercase = true;
o.Password.RequireNonLetterOrDigit = true; 
o.Password.RequiredLength = 6;

When I try to register with passwords having Upper, lower and digit the user manager fails to create an account because Failed : PasswordRequiresNonLetterAndDigit When I change RequireNonLetterOrDigit to false problem disappears.

1.0.0-rc1-final

[MaximRouiller]

Do you have a sample password that fails?

[JGrzybowski]

user0Pass

[MaximRouiller]

Seems to be a bug.

Here's the corresponding line: https://github.com/aspnet/Identity/blob/3.0.0-rc1/src/Microsoft.AspNet.Identity/PasswordValidator.cs#L55

And relevant code:

if (options.RequireNonLetterOrDigit && password.All(IsLetterOrDigit))
{
    errors.Add(Describer.PasswordRequiresNonLetterAndDigit());
}

[MaximRouiller]

That seems to be the bug. If a password have a digit, with RequireNonLetterOrDigit, it should be valid... yet if the password is all letters or digits... it fails.

[MaximRouiller]

Maybe the name should have been RequireNonLetter since this is exactly what this is doing.

@rustd? What do you think?

[rustd]

@HaoK?

[HaoK]

It's always been this way. it means there must be one non letter and non digit.

[divega]

Ah, I think it is starting to make sense to me... So, if we could use parenthesis in names it would be called RequireNon(LetterOrDigit) 😄 But honestly, when I read it the first time I interpreted the same way as @JGrzybowski and @MaximRouiller apparently did, i.e. Require(NonLetter)OrDigit.

Maybe we can come up with a name that is no ambiguous. Was RequireNonAlphanumeric ever considered?

[HaoK]

I forget the exact naming history. I think it was called that at some point. Also RequireNonLetterAndDigit I think too.

[divega]

See the SO questions:

http://stackoverflow.com/questions/25865952/requirenonletterordigit-not-correctly-validated

(I think there is a bug in the question, e.g. the flag should be set to true instead of false)

http://stackoverflow.com/questions/24796454/how-to-change-password-validation-in-asp-net-mvc-identity-2/24819318#24819318

And this forum thread:

http://forums.asp.net/t/1998093.aspx?Error+message+unclear+Passwords+must+have+at+least+one+non+letter+or+digit+character+

It seems customers have been hitting the ambiguity in the property name, the API documentation for it and even the validation error for a while.

[JGrzybowski]

Also, there should be a way to require nonletter character. I think it was possible in previous version of framework.

[HaoK]

How about we go with RequireNonAlphanumeric and change the error text to be: "Passwords must have at least one non alphanumeric character."

[MaximRouiller]

@HaoK sounds very good! 😄

[HaoK]

84804fe

[MaximRouiller]

👍