1

I have a quick question, I plan to use the following regex to test a password field:

/^\S{8,24}$/

The restrictions are:

Any character other than white-space is allowed, length between 8 and 24.

Does anyone anticipate any problems that might arise as a result of using this regex for a password?

Pshemo
  • 122,468
  • 25
  • 185
  • 269
ViniH
  • 756
  • 1
  • 7
  • 12
  • 1
    Why can't I use whitespaces in a password? That is, why can't I use a passphrase such as '`The mammoth ran quickly`'? – Chris Forrence Jun 02 '13 at 17:11
  • Out of curiosity, why restrict whitespace? – Mike Pelley Jun 02 '13 at 17:11
  • And why restrict length? – Alan Jun 02 '13 at 17:11
  • Basically, user1593524, your regex _will_ suffice for your specified restrictions. That being said, I think the bigger issue is the restrictions themselves; those should probably be expanded. I understand that you don't want passwords to just be eight spaces! However, as it stands, a password of `aaaaaaaa` or `12345678` would be valid under the restrictions. – Chris Forrence Jun 02 '13 at 17:17
  • 2
    [XKCD - Password Strength](http://xkcd.com/936/). – Bernhard Barker Jun 02 '13 at 17:21
  • A good example of why offering the user some advice on the strength of an entered password is better than arbitrary restrictions. – ViniH Jun 02 '13 at 17:57

2 Answers2

3

If you were asking whether the supplied restrictions are good:

Not really, problems:

  1. Some people want white-space.
  2. Some people want a password longer than 24 characters.
  3. Not forcing a certain range of characters allows people to enter very simple passwords which can very easily be cracked. For example, an 8-character password with only lowercase characters, as people will do, have 268 = 208827064576 possibilities, which could take as little as a few minutes to run through. Not to mention passwords with all character being the same. Many websites require at least:
    • A number
    • An uppercase character
    • A lowercase character

Google "regex password validation" to get some ideas, there's a ton. First link.

If you were asking whether the regex enforces the supplied restrictions:

Yes, it's fine.

Community
  • 1
  • 1
Bernhard Barker
  • 54,589
  • 14
  • 104
  • 138
  • The latter, I was having a debate with a colleague who thought that the above regex would potentially fail to work if certain characters were pasted into the field. – ViniH Jun 02 '13 at 17:31
  • Note: I have no intention of using this, I have a fairly robust regex for password checking that I have been using for years, it was just to settle a debate (a bit of a silly debate IMO). – ViniH Jun 02 '13 at 17:31
  • Anything that classifies as white-space will cause it to fail. This could include characters which may not display as a visible space, but it's still there and still white-space. You should ask your fellow debatee for an example. – Bernhard Barker Jun 02 '13 at 17:36
1

Several:

  • '11111111' is a valid password.
  • Whitespace is not allowed.
  • There is an upper bound (why not allow longer passwords?)

Using a regex for validating password strength is possible. One example:

^             # Start of string
(?=.*[a-z])   # Assert presence of at least one lowercase ASCII character
(?=.*[A-Z])   # Assert presence of at least one uppercase ASCII character
(?=.*[0-9])   # Assert presence of at least one ASCII digit
(?=.*\W)      # Assert presence of at least one non-alphanumeric character
(?!.*(.)\1\1) # Assert no triply repeated characters (aaa)
.{8,}         # Match at least 8 characters
$             # End of string
Tim Pietzcker
  • 328,213
  • 58
  • 503
  • 561