Best practice for defining a password policy


What is the out-of-the-box password policy for servicestack and what is the preferred method to override it and define our own?

We’re looking to implement things like:

  • Minimum number of character types (numeric, alpha, special etc).
  • Prevent re-use of a previous password.
  • Prevent anyone changing passwords more than once in 24 hours.
  • A separate policy for administrators.

ServiceStack doesn’t impose any password restrictions other than they should match.

Most auth-enabled templates include an example of a CustomRegisterValidator you can use to add additional validation to Register requests using Fluent Validation in Configure.Auth.cs.

E.g. you can use Must or MustAsync to perform custom validation that needs to perform Async I/O.

I found some examples applying password validation on StackOverflow:

1 Like