Skip to main content
A newer version of this page is available. .

Validate Password Complexity

  • 3 minutes to read

The ChangePasswordByUser Action is accessible by end users when the Standard Authentication type is used in an XAF application. By default, end users have the ability to change their passwords and set simple or even empty passwords. However, the production environment can have strict security, and it may therefore be required to use only complex passwords. The solution is to validate a new password value when an end user attempts to change a password.

The Change My Password dialog contains the ChangePasswordParameters Detail View.


The NewPassword is a property to be validated. As this property is implemented in the Security module, the best way to validate it is to apply the rule via the Model Editor.


Make sure that the Security module is added to the list of required modules in the Module Designer of the module that you customize.

  • Right-click the Validation | Rules node. Select Add… | RuleRegularExpression. Set the new rule’s ID property to “Password is complex”. Set TargetType to “DevExpress.ExpressApp.Security.ChangePasswordOnLogonParameters”, TargetPropertyName to “NewPassword”, TargetContextIDs to “ChangePassword” and SkipNullOrEmptyValues to “False”. Set the Pattern property to “^(?=.*[a-zA-Z])(?=.*\d).{6,}$“. Only passwords consisting of 6 or more characters and digits match this regular expression. Replace the MessageTemplateMustMatchThe Pattern value with a user-friendly message that describes password requirements. For instance, you can type “New password must consist of at least 6 alphanumeric characters.”



    You can compose your own pattern to fit your password requirements. If you are not familiar with regular expressions, you can refer to the website to search an appropriate regular expression. If you want to prohibit the use of an empty password, create the RuleRequiredField Rule instead of RuleRegularExpression.

  • The Change Password dialog contains the OK button. This button is an Action that has the DialogOK ID. Navigate to ActionDesign | Actions | DialogOK and set the ValidationContexts property to “ChangePassword”. As a result, the “ChangePassword” validation context identifier will be associated with the DialogOK Action.

  • The Validation system is not fully initialized until a user has logged into the application. To initialize the Validation system, edit the Module.cs (Module.vb) file, override the ModuleBase.Setup method and handle the XafApplication.SetupComplete event. In the event handler, access the Validation Module and call its ValidationModule.InitializeRuleSet method. This will ensure that your validation rules are checked into the “Change Password on First Logon” screen.

using DevExpress.ExpressApp.Validation;
public override void Setup(XafApplication application) {
    application.SetupComplete += application_SetupComplete;
void application_SetupComplete(object sender, EventArgs e) {
    ValidationModule module = ((XafApplication)sender).Modules.FindModule<ValidationModule>();
    if (module != null) module.InitializeRuleSet();

Application administrators will still have the ability to assign an insecure password to a user via the ResetPassword Action. You can, however, use the above solution to validate the ResetPasswordParameters.Password property.

The following window is displayed when an end user provides a new password that does not meet the complexity requirements.


See Also