Password strength via regular express?

Question

I would like to use a regular expression in the ASP.NET membership. What is a regular express for the below?

at least 8 characters long
include at least one upper case letter
one lower case letter
one number

If you are also interested in doing that client side this might interest you: http://stackoverflow.com/questions/1388609/jquery-password-strength-checker And you could actually use the different part of the expression wrote in this thread and check the password strengh gradually on your server side. — Maresh, May 17 '13 at 11:25

score 1 · Accepted Answer · edited May 17 '13 at 12:31

1

try this..

^((?=.*\d)(?=.*[A-Z])(?=.*[a-z]).{8,})

edited May 17 '13 at 12:31

Tim Pietzcker

328,213
58
503
561

answered May 17 '13 at 12:15

A.T.

24,694
8
47
65

Snifff · Answer 2 · 2013-05-17T12:18:13.997

0

You could use something like that:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])[a-zA-Z\d=:;<>,~!@#\\$%/^&)(\[\]+-]{8,}$

Test it here. You may also want to learn about the "?=" thing, which is called "positive lookahead" here. In short, when all three lookaheads (.*\d and .*[a-z] and .*[A-Z]) are matched (and are discarded), the main regex [a-zA-Z\d=:;<>,~!@#\\$%/^&)(\[\]+-]{8,} can be matched too.

edited May 17 '13 at 12:18

answered May 17 '13 at 11:27

Snifff

1,784
2
16
28

Why restrict the valid characters? That wasn't in the spec. Also, your explanation is incorrect. The lookaheads don't follow the regex match. – Tim Pietzcker May 17 '13 at 11:48
Agreed partly, but not all of the characters are valid. We do not have a valid characters list, so I placed the most strict restriction. I did not say lookaheads follow regex match. I'll try to fix the misunderstanding) – Snifff May 17 '13 at 11:51
So you want to force users to use passwords that are less safe? Why? – Tim Pietzcker May 17 '13 at 11:52
My decision is based on unknown storage restrictions and on the fact this is an example. It could be just ".{8,}", or he could add the special character he wants to be allowed. – Snifff May 17 '13 at 11:55
Added some more allowed characters as suggested by Tim Pietzcker . – Snifff May 17 '13 at 12:19

score 0 · Answer 3 · answered May 17 '13 at 12:37

0

Do you have to do this in one regex? I would make each of those rules one regex, and test for them individually. I suspect you code will end up being simpler, and you'll save yourself and whoever has to maintain your application several headaches.

answered May 17 '13 at 12:37

Zissou

227
1
8

I realize what your saying.. the thing is this is a textbox field for a software system. – TruMan1 May 17 '13 at 12:44

Password strength via regular express?

3 Answers3