When creating a Tenant you can configure the default password requirements. All of the Security Features are handled on the Settings/Security Page. If you grant a Tenant access to that page, which may be important for them to control things like User Lockout and Two-Factor Authentication, you also give them the ability to change the password requirements. This means a Tenant could set up a 3 letter password requirement which compromises security for the entire application.
Is there a way to set or hardcode a minimum password requirement where the User cannot go below, for example 8 characters?
Another option would be to split off the Password Settings into a different Page Permission from Settings, that way the User still has access to the other parts of the Settings/Security but the Host could determine if Tenants can or cannot change the Password Complexity.
1 Answer(s)
-
0
You can achieve your request by overriding UpdatePasswordComplexitySettingsAsync method in TenantSettingsAppService. When tenant saves password complexity check if it's below your intended. You can put a validation error on the client side as well.
