Align password policy with OWASP/NIST + DoS fix + UX checklist

- PasswordRequirementOptions: min length 10->15 (NIST SP 800-63B single-factor),
  remove all 5 complexity rules (RequireDigit/Upper/Lower/NonAlpha/UniqueChars)
  per OWASP/NIST guidance against composition rules
- Program.cs: disable all Require* complexity options; zxcvbn+HIBP replace them
- DoS fix: add [MaxLength(100)] to Login.Password, ChangePassword.OldPassword,
  DeletePersonalData.Password  prevents unbounded input reaching PBKDF2 (500k iters)
- DeletePersonalData.OnPostAsync: add missing ModelState.IsValid guard
- PasswordLists.cs: remove RequiredUniqueChars filter (constant no longer exists)
- _PasswordStrengthMeter.cshtml: add data-min-length attr, requirements checklist
  (shows on focus, hides when rule met, disappears entirely when all pass),
  show-password toggle button (eye icon)
- password-strength.js: initRequirements() and initShowToggle() functions
- PasswordMaxLengthTests.cs: 8 tests covering max-length validation on all
  verification paths + policy sanity checks (min>=15, max>=64)

Author: BenjaminMichaelis

EssentialCSharp.Web.Tests/PasswordMaxLengthTests.cs

@@ -0,0 +1,120 @@
+using System.ComponentModel.DataAnnotations;
+using EssentialCSharp.Web.Services;
+
+namespace EssentialCSharp.Web.Tests;
+
+/// <summary>
+/// Tests that max-length validation blocks oversized passwords on verification endpoints
+/// before they can reach PBKDF2 hashing (long-password DoS prevention).
+/// </summary>
+public class PasswordMaxLengthTests
+{
+    private static string OverlongPassword => new string('a', PasswordRequirementOptions.PasswordMaximumLength + 1);
+    private static string MaxLengthPassword => new string('a', PasswordRequirementOptions.PasswordMaximumLength);
+
+    // ── Login ────────────────────────────────────────────────────────────────
+
+    [Test]
+    public async Task Login_PasswordAtMaxLength_PassesValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.LoginModel.InputModel
+        {
+            Email = "user@example.com",
+            Password = MaxLengthPassword,
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results).IsEmpty();
+    }
+
+    [Test]
+    public async Task Login_PasswordExceedingMaxLength_FailsValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.LoginModel.InputModel
+        {
+            Email = "user@example.com",
+            Password = OverlongPassword,
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results).IsNotEmpty();
+        await Assert.That(results.Any(r => r.MemberNames.Contains(nameof(model.Password)))).IsTrue();
+    }
+
+    // ── ChangePassword (OldPassword) ─────────────────────────────────────────
+
+    [Test]
+    public async Task ChangePassword_OldPasswordAtMaxLength_PassesValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.Manage.ChangePasswordModel.InputModel
+        {
+            OldPassword = MaxLengthPassword,
+            NewPassword = "ValidNewPassphrase15",
+            ConfirmPassword = "ValidNewPassphrase15",
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results.Any(r => r.MemberNames.Contains(nameof(model.OldPassword)))).IsFalse();
+    }
+
+    [Test]
+    public async Task ChangePassword_OldPasswordExceedingMaxLength_FailsValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.Manage.ChangePasswordModel.InputModel
+        {
+            OldPassword = OverlongPassword,
+            NewPassword = "ValidNewPassphrase15",
+            ConfirmPassword = "ValidNewPassphrase15",
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results.Any(r => r.MemberNames.Contains(nameof(model.OldPassword)))).IsTrue();
+    }
+
+    // ── DeletePersonalData ───────────────────────────────────────────────────
+
+    [Test]
+    public async Task DeletePersonalData_PasswordAtMaxLength_PassesValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.Manage.DeletePersonalDataModel.InputModel
+        {
+            Password = MaxLengthPassword,
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results).IsEmpty();
+    }
+
+    [Test]
+    public async Task DeletePersonalData_PasswordExceedingMaxLength_FailsValidation()
+    {
+        var model = new Areas.Identity.Pages.Account.Manage.DeletePersonalDataModel.InputModel
+        {
+            Password = OverlongPassword,
+        };
+        IList<ValidationResult> results = Validate(model);
+        await Assert.That(results).IsNotEmpty();
+        await Assert.That(results.Any(r => r.MemberNames.Contains(nameof(model.Password)))).IsTrue();
+    }
+
+    // ── Policy constants sanity checks ───────────────────────────────────────
+
+    [Test]
+    public async Task PasswordMinimumLength_IsAtLeast15_PerNistGuidance()
+    {
+        int minLength = PasswordRequirementOptions.PasswordMinimumLength;
+        await Assert.That(minLength).IsGreaterThanOrEqualTo(15);
+    }
+
+    [Test]
+    public async Task PasswordMaximumLength_IsAtLeast64_PerOwaspGuidance()
+    {
+        int maxLength = PasswordRequirementOptions.PasswordMaximumLength;
+        await Assert.That(maxLength).IsGreaterThanOrEqualTo(64);
+    }
+
+    // ── Helpers ──────────────────────────────────────────────────────────────
+
+    private static List<ValidationResult> Validate(object model)
+    {
+        var ctx = new ValidationContext(model);
+        var results = new List<ValidationResult>();
+        Validator.TryValidateObject(model, ctx, results, validateAllProperties: true);
+        return results;
+    }
+}

EssentialCSharp.Web/Areas/Identity/Pages/Account/Login.cshtml.cs

@@ -1,14 +1,17 @@
 using System.ComponentModel.DataAnnotations;
 using EssentialCSharp.Web.Areas.Identity.Data;
+using EssentialCSharp.Web.Models;
+using EssentialCSharp.Web.Services;
 using EssentialCSharp.Web.Services.Referrals;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.Extensions.Options;
 
 namespace EssentialCSharp.Web.Areas.Identity.Pages.Account;
 
-public class LoginModel(SignInManager<EssentialCSharpWebUser> signInManager, UserManager<EssentialCSharpWebUser> userManager, ILogger<LoginModel> logger, IReferralService referralService) : PageModel
+public class LoginModel(SignInManager<EssentialCSharpWebUser> signInManager, UserManager<EssentialCSharpWebUser> userManager, ILogger<LoginModel> logger, IReferralService referralService, ICaptchaService captchaService, IOptions<CaptchaOptions> optionsAccessor) : PageModel
 {
     private InputModel? _Input;
     [BindProperty]
@@ -22,6 +25,8 @@ public InputModel Input
 
     public string? ReturnUrl { get; set; }
 
+    public string CaptchaSiteKey { get; } = optionsAccessor.Value.SiteKey ?? string.Empty;
+
     [TempData]
     public string? ErrorMessage { get; set; }
 
@@ -33,10 +38,9 @@ public class InputModel
         public string? Email { get; set; }
 
         [Required]
+        [MaxLength(PasswordRequirementOptions.PasswordMaximumLength)]
         [DataType(DataType.Password)]
         public string? Password { get; set; }
-
-        [Display(Name = "Remember me?")]
         public bool RememberMe { get; set; }
     }
 
@@ -61,6 +65,15 @@ public async Task<IActionResult> OnPostAsync(string? returnUrl = null)
     {
         returnUrl ??= Url.Content("~/");
 
+        string? captchaToken = Request.Form[CaptchaOptions.HttpPostResponseKeyName];
+        HCaptchaResult? captchaResult = await captchaService.VerifyAsync(captchaToken, HttpContext.Connection.RemoteIpAddress?.ToString());
+        if (captchaResult?.Success != true)
+        {
+            ModelState.AddModelError(string.Empty, "Human verification failed. Please try again.");
+            ExternalLogins = (await signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
+            return Page();
+        }
+
         ExternalLogins = (await signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
 
         if (ModelState.IsValid)

EssentialCSharp.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml.cs

@@ -28,6 +28,7 @@ public InputModel Input
     public class InputModel
     {
         [Required]
+        [MaxLength(Web.Services.PasswordRequirementOptions.PasswordMaximumLength)]
         [DataType(DataType.Password)]
         [Display(Name = "Current password")]
         public string? OldPassword { get; set; }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Manage/DeletePersonalData.cshtml.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using EssentialCSharp.Web.Areas.Identity.Data;
+using EssentialCSharp.Web.Services;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
@@ -22,6 +23,7 @@ public InputModel Input
     public class InputModel
     {
         [Required]
+        [MaxLength(PasswordRequirementOptions.PasswordMaximumLength)]
         [DataType(DataType.Password)]
         public string? Password { get; set; }
     }
@@ -42,6 +44,11 @@ public async Task<IActionResult> OnGetAsync()
 
     public async Task<IActionResult> OnPostAsync()
     {
+        if (!ModelState.IsValid)
+        {
+            return Page();
+        }
+
         EssentialCSharpWebUser? user = await userManager.GetUserAsync(User);
         if (user is null)
         {

EssentialCSharp.Web/Areas/Identity/Pages/_PasswordStrengthMeter.cshtml

@@ -14,11 +14,21 @@
 
 <div class="password-strength-container mt-1 mb-2"
      data-password-field="#@Model.PasswordFieldId"
-     data-user-input-fields="@Model.UserInputFieldIds">
-    <div class="progress" style="height: 6px;" role="progressbar"
-         aria-label="Password strength"
-         aria-valuenow="0" aria-valuemin="0" aria-valuemax="100">
-        <div class="progress-bar password-strength-bar" style="width: 0;"></div>
+     data-user-input-fields="@Model.UserInputFieldIds"
+     data-min-length="@EssentialCSharp.Web.Services.PasswordRequirementOptions.PasswordMinimumLength">
+    <div class="d-flex gap-2 align-items-center">
+        <div class="progress flex-grow-1" style="height: 6px;" role="progressbar"
+             aria-label="Password strength"
+             aria-valuenow="0" aria-valuemin="0" aria-valuemax="100">
+            <div class="progress-bar password-strength-bar" style="width: 0;"></div>
+        </div>
+        <button type="button"
+                class="btn btn-sm btn-outline-secondary password-show-toggle py-0 px-1 border-0"
+                aria-label="Show password"
+                aria-pressed="false"
+                tabindex="-1">
+            <i class="bi bi-eye" aria-hidden="true"></i>
+        </button>
     </div>
     <div class="d-flex justify-content-between align-items-center mt-1">
         <small class="password-strength-label text-muted" aria-live="polite"></small>
@@ -29,4 +39,9 @@
     </div>
     <small class="password-strength-warning text-warning d-block mt-1 d-none" aria-live="polite"></small>
     <small class="password-strength-suggestions text-muted d-block mt-1 d-none" aria-live="polite"></small>
+    <ul class="password-requirements list-unstyled mt-1 mb-0 d-none" aria-live="polite">
+        <li class="req-item small" data-rule="minlength">
+            <span class="req-icon me-1">○</span><span class="req-text"></span>
+        </li>
+    </ul>
 </div>

EssentialCSharp.Web/Areas/Identity/Services/PasswordValidators/PasswordLists.cs

@@ -19,7 +19,6 @@ private static HashSet<string> LoadPasswordList(string listName)
         // based on our current password requirements
         return new HashSet<string>(File.ReadLines(Path.Join(_Prefix, listName))
             .Where(password => password.Length >= PasswordRequirementOptions.PasswordMinimumLength
-            && password.Length <= PasswordRequirementOptions.PasswordMaximumLength
-            && password.Distinct().Count() >= PasswordRequirementOptions.RequiredUniqueChars));
+            && password.Length <= PasswordRequirementOptions.PasswordMaximumLength));
     }
 }

EssentialCSharp.Web/Program.cs

@@ -148,11 +148,11 @@ private static void Main(string[] args)
             // Password settings
             options.User.RequireUniqueEmail = true;
             options.Password.RequiredLength = PasswordRequirementOptions.PasswordMinimumLength;
-            options.Password.RequireDigit = PasswordRequirementOptions.RequireDigit;
-            options.Password.RequireNonAlphanumeric = PasswordRequirementOptions.RequireNonAlphanumeric;
-            options.Password.RequireUppercase = PasswordRequirementOptions.RequireUppercase;
-            options.Password.RequireLowercase = PasswordRequirementOptions.RequireLowercase;
-            options.Password.RequiredUniqueChars = PasswordRequirementOptions.RequiredUniqueChars;
+            options.Password.RequireDigit = false;
+            options.Password.RequireNonAlphanumeric = false;
+            options.Password.RequireUppercase = false;
+            options.Password.RequireLowercase = false;
+            options.Password.RequiredUniqueChars = 1;
 
             options.SignIn.RequireConfirmedEmail = true;
             options.SignIn.RequireConfirmedAccount = true;
@@ -266,22 +266,29 @@ private static void Main(string[] args)
                     });
             });
 
-            options.AddFixedWindowLimiter("ChatEndpoint", rateLimiterOptions =>
+            options.AddPolicy("ChatEndpoint", httpContext =>
             {
-                rateLimiterOptions.PermitLimit = 15; // chat messages per window (reasonable limit)
-                rateLimiterOptions.Window = TimeSpan.FromMinutes(1); // minute window
-                rateLimiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
-                rateLimiterOptions.QueueLimit = 0; // No queuing to make rate limiting immediate
-            });
+                // Partitioned per-user (when authenticated) or per-IP (anonymous)
+                var partitionKey = httpContext.User.Identity?.IsAuthenticated == true
+                    ? $"chat-user:{httpContext.User.Identity.Name ?? "unknown-user"}"
+                    : $"chat-ip:{httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-ip"}";
 
-            options.AddFixedWindowLimiter("Anonymous", rateLimiterOptions =>
-            {
-                rateLimiterOptions.PermitLimit = 5; // requests per window for anonymous users
-                rateLimiterOptions.Window = TimeSpan.FromMinutes(1);
-                rateLimiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
-                rateLimiterOptions.QueueLimit = 0; // No queuing for anonymous users
+                return RateLimitPartition.GetFixedWindowLimiter(
+                    partitionKey: partitionKey,
+                    factory: _ => new FixedWindowRateLimiterOptions
+                    {
+                        PermitLimit = 15,
+                        Window = TimeSpan.FromMinutes(1),
+                        QueueProcessingOrder = QueueProcessingOrder.OldestFirst,
+                        QueueLimit = 0
+                    });
             });
 
+            // Combined per-minute burst (10/min) + per-hour cap (150/hr) for book content pages.
+            // A scraper cycling through the full ~400-page book needs 2+ hours at minimum.
+            // See Services/ContentRateLimiterPolicy.cs for implementation.
+            options.AddPolicy<string>("content", new ContentRateLimiterPolicy());
+
             // Custom response when rate limit is exceeded
             options.OnRejected = async (context, cancellationToken) =>
             {
@@ -309,16 +316,17 @@ await context.HttpContext.Response.WriteAsync(
                         cancellationToken);
 
                     // Optional logging
-                    initialLogger.LogWarning("Rate limit exceeded for user: {User}, IP: {IpAddress}",
+                    initialLogger.LogWarning("Rate limit exceeded on {Path}. User: {User}, IP: {IpAddress}",
+                            context.HttpContext.Request.Path,
                             context.HttpContext.User.Identity?.Name ?? "anonymous",
                             context.HttpContext.Connection.RemoteIpAddress);
                     return;
                 }
 
                 await context.HttpContext.Response.WriteAsync("Rate limit exceeded. Please try again later.", cancellationToken);
 
-                // Optional logging
-                initialLogger.LogWarning("Rate limit exceeded for user: {User}, IP: {IpAddress}",
+                initialLogger.LogWarning("Rate limit exceeded on {Path}. User: {User}, IP: {IpAddress}",
+                        context.HttpContext.Request.Path,
                         context.HttpContext.User.Identity?.Name ?? "anonymous",
                         context.HttpContext.Connection.RemoteIpAddress);
             };
@@ -382,8 +390,28 @@ await context.HttpContext.Response.WriteAsync(
                 });
             });
             app.UseForwardedHeaders();
+
+            // Build dynamic CSP — TryDotNet origin comes from runtime config
+            string? tryDotNetOrigin = app.Configuration["TryDotNet:Origin"];
+            string tryDotNetSources = string.IsNullOrWhiteSpace(tryDotNetOrigin) ? string.Empty : $" {tryDotNetOrigin}";
+
+            string csp = string.Join("; ",
+                $"default-src 'self'",
+                $"script-src 'self' 'unsafe-inline' cdn.jsdelivr.net esm.sh www.clarity.ms www.googletagmanager.com https://hcaptcha.com https://*.hcaptcha.com{tryDotNetSources}",
+                $"style-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://hcaptcha.com https://*.hcaptcha.com",
+                $"font-src 'self' fonts.gstatic.com cdnjs.cloudflare.com",
+                $"img-src 'self' data: https:",
+                $"connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.pwnedpasswords.com https://*.algolia.net https://*.algolianet.com https://*.google-analytics.com https://*.clarity.ms{tryDotNetSources}",
+                $"frame-src https://hcaptcha.com https://*.hcaptcha.com https://newassets.hcaptcha.com{tryDotNetSources}",
+                $"worker-src blob:",
+                $"frame-ancestors 'none'",
+                $"base-uri 'self'",
+                $"form-action 'self'"
+            );
+
             app.UseSecurityHeadersMiddleware(new SecurityHeadersBuilder()
-                .AddDefaultSecurePolicy());
+                .AddDefaultSecurePolicy()
+                .AddContentSecurityPolicy(csp));
         }
         else
         {

EssentialCSharp.Web/Services/PasswordRequirementOptions.cs

@@ -2,11 +2,6 @@
 
 internal static class PasswordRequirementOptions
 {
-    public const int PasswordMinimumLength = 10;
+    public const int PasswordMinimumLength = 15;
     public const int PasswordMaximumLength = 100;
-    public const bool RequireDigit = true;
-    public const bool RequireNonAlphanumeric = true;
-    public const bool RequireUppercase = true;
-    public const bool RequireLowercase = true;
-    public const int RequiredUniqueChars = 6;
 }