0

Possible Duplicate:
Password validation regex

between 8 and 16 characters, with at least 1 character from each of the 3 character classes -alphabetic upper and lower case, numeric, symbols.

I have this code, but it doesn't work, when I write more than 16 characters, gives it as valid, but it should not; the it should to work ok with 3 character classes, but it works with 4, where's my mistake??

http://jsbin.com/ugesow/1/edit

<label for="pass">Enter Pass: </label>
<input type="text" id="pass" onkeyup="validate()">

Script

function validate() {
    valor = document.getElementById('pass').value;
    if (!(/(?=.{8,16})(?=.*?[^\w\s])(?=.*?[0-9])(?=.*?[A-Z]).*?[a-z].*/.test(valor))) {

        document.getElementById('pass').style.backgroundColor = "red";
    } else {
        document.getElementById('pass').style.backgroundColor = "#adff2f";
    }
}
Community
  • 1
  • 1
Kakitori
  • 901
  • 6
  • 16
  • 41

4 Answers4

1

Regular expressions are not a panacea. It's not too hard to do it, mixing with regular code:

function validatePassword(password) {
    // First, check the length.
    // Please see my comment on the question about maximum password lengths.
    if(password.length < 8 || password.length > 16) return false;
    // Next, check for alphabetic characters.
    if(!/[A-Z]/i.match(password)) return false;
    // Next, check for numbers.
    if(!/\d/.match(password)) return false;
    // Next, check for anything besides those.
    if(!/[^A-Z\d]/i.match(password)) return false;
    // If we're here, it's valid.
    return true;
}

However, I'd look into something like zxcvbn, a password checker, which I think is a better password quality checker, checking things like common dictionary words after un-13375p3/-\kification and dealing with entropy decently. It is used, among others, by Dropbox. Try it here.

icktoofay
  • 126,289
  • 21
  • 250
  • 231
0

You need to anchor the match to the beginning of the string, and anchor the first lookahead to the end:

^(?=.{8,16}$)

Also, the last lookahead needs to be split in two:

(?=.*?[A-Z])(?=.*?[a-z])
Alan Moore
  • 73,866
  • 12
  • 100
  • 156
-3

Why don't you just test for the three character sets with regular expressions:

[A-Za-z0-9]+

Then count the length of the string to validate the length.

Espresso
  • 4,722
  • 1
  • 24
  • 33
  • 3
    your regex accepts almost every non symbol character, this is not what he asked – vault Feb 05 '13 at 01:39
  • I used the notation found in "the Dragon Book" as I had thought that was the standard. I reckoned it would be easy enough to translate it to the JavaScript syntax. :\ – Espresso Feb 05 '13 at 01:50
  • 1
    I haven't read it, but I would expect a book on compilers to talk about theory-pure regular expressions, not the regexes we use for string manipulations. Big, *big* difference. – Alan Moore Feb 05 '13 at 02:00
-3

What about this range:

/[A-Za-z0-9$-/:-?{-~!"^_`\[\]]/

So you can check first 

/[A-Za-z]+/

then 

/\d+/

and finally 

/[$-/:-?{-~!"^_`\[\]]+/

If it passes you can check the length.

You can see this link to see why the symbols work.

Community
  • 1
  • 1
Kaeros
  • 1,138
  • 7
  • 7
  • He can use these to check for the things he need, it's not the actual regex. – Kaeros Feb 05 '13 at 01:51
  • you seem the only one to think that – vault Feb 05 '13 at 01:52
  • Really? He can check for symbols, letters and numbers. So if he do something like: /[A-Za-z]+/ then /\d+/ and finally /[$-/:-?{-~!"^_`\[\]+] he can do what he wants... there is a better way, but is valid. – Kaeros Feb 05 '13 at 01:54
  • This does *not* do what the OP was asking for. A single character password would pass, which is *incorrect* by the requirement. – Andrew Barber Feb 06 '13 at 15:07