I would like to enable complex passwords for DNN 4.05.05. I see that the Membership Provider Settings of the User Settings page has a Minimum Password Length and a Minimum No of Non AlphaNumeric Characters fields but they are not editable.

When I look into web.config I see a section Configuration for DNNSQLMembershipProvider: but it is commented out.

Since this section is commented out I assume that there are internal defaults which are in effect.

I understand that in DNN 4.03.07 changing these values caused big problems.

Can we now change this section in 4.05.05?

If so, I need some help with the values. Some of them seem obvious, like:

   minRequiredPasswordLength="int"
  minRequiredNonalphanumericCharacters="int"

should be changed to

  minRequiredPasswordLength="7"
  minRequiredNonalphanumericCharacters="1"

But what about the others? Do they all have to be set? Some of them seem to be configurable options in the Membership Provider Settings of the User Settings page and others are fixed. If they all have to be set could I get some help with the values?

Here are the settings I think I understand:

passwordAttemptThreshold="int"
  change to: passwordAttemptThreshold="5"
passwordAttemptWindow="int"
  change to: passwordAttemptWindow="10"
enablePasswordRetrieval="[true|false]"
  change to: enablePasswordRetrieval="true"
enablePasswordReset="[true|false]"
  change to: enablePasswordReset="true"
minRequiredPasswordLength="int"
  change to: minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="int"
  change to: minRequiredNonalphanumericCharacters="1"
passwordFormat="[Clear|Hashed|Encrypted]"
  change to: passwordFormat="Encrypted"

Here are the settings where I am not sure what to do:

connectionStringName="string"
requiresQuestionAndAnswer="[true|false]"
applicationName="string"
requiresUniqueEmail="[true|false]"
description="string" 
 

All of the settings are configurable in web.config, as you have noted.  You can add the commented-out settings.

If you want to see the current settings, click on User Settings from the Users page.  These tutorial will help point you in the right direction:

• DotNetNuke Users & Setting the Registration Options
• Working with DotNetNuke Security Roles
• Specifying The Required Fields Upon User Registration
• User Accounts: Adding, Editing, Viewing, Deleting
• How to Assign a Security Role to a User Account
• Assigning Security Roles to Pages and Modules

The first one should answer many of your questions. 

You can also find much of this in the "Professional DotNetNuke" book by Shaun Walker, et. al.  If you are serious about DotNetNuke, I think that this is a must-have.

One word of caution: DO NOT CHANGE THE PASSWORD FORMAT.  This will make all of your current passwords inoperative, and none of your users (including host and admin) will be able to log in.  There are ways to fix this, but you don't want to have to deal with that kind of problem!  

I'm not sure this really answers the question. The "Complex Password" requirement is part of Sarbanes-Oxley compliance for many companies. Security roles; public, private, and verified registration is not really part of the issue.

Here's the thing: I am referring to the "USER SETTINGS" page. There are 2 "Membership Provider Settings" that I need to change:

Minimum Password Length:

and

Minimum No of Non AlphaNumeric Characters:

Since these are not changeable in the "USER SETTINGS" page, I need to know how to do this in web.config.

If I set only those two tags in the web.config file this would be easy. But do I have to set them all?

If I do have to set them all, what are the correct values for:

connectionStringName="string"
requiresQuestionAndAnswer="[true|false]"
applicationName="string"
requiresUniqueEmail="[true|false]"
description="string"


When you say DO NOT CHANGE THE PASSWORD FORMAT are you referring to Encrypted vs. Hash vs. Clear? I would leave the password Encrypted so this would not change. The settings I want to change would enforce password complexity in a new installation. So, I can make sure the Host and portal Admin passwords are complex before making any changes.

Ok, I have found the answer to the correct values. I see the line:

type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
requiresUniqueEmail="false"
passwordFormat="Encrypted"
applicationName="DotNetNuke"
description="Stores and retrieves membership data from the local Microsoft SQL Server database" />

in the web.config file.

So, I will just change the minRequiredNonalphanumericCharacters to 1.