-1

I have to validate password so that they meet these rules

A) The password must contain characters from 3 of the following 4 classes:

  1. English Upper Case Letters A, B, C, ... Z
  2. English Lower Case Letters a, b, c, ... z
  3. Westernised Arabic Numerals 0, 1, 2, ... 9
  4. Non-alphanumeric (“special characters”) For example, punctuation, symbols. {},.<>;:'?/|`~!@#$%^&*()_-+= space

B) The password must be at least8 characters long;

Can this be done in a single Regex. What would that Regex be?

Sachin Kainth
  • 45,256
  • 81
  • 201
  • 304
  • http://stackoverflow.com/search?q=regex+password+validate – CBroe Aug 30 '13 at 10:01
  • What's the language/flavor you're using ? What have you tried ? The short answer is "yes it's possible", but why ? You should hash it anyways. [Also this is a fun reading :-)](http://security.stackexchange.com/a/33471) – HamZa Aug 30 '13 at 10:02
  • @HamZa Hashing is orthogonal -- you still want to check password strength before hashing. – Barmar Aug 30 '13 at 10:02
  • As a side note: Password1 is a valid password - so much for the imposed strenth. Interesting read: http://security.stackexchange.com/questions/32222/are-password-complexity-rules-counterproductive – assylias Aug 30 '13 at 10:07

4 Answers4

5

This task isn't suitable for doing with a regular expression.

It can be done in a regular expression, but it'd be so convoluted and complicated that you're better off doing the check in some other way.

Just because something can be done with regular expressions doesn't mean it's a good idea.

Sebastian Paaske Tørholm
  • 49,493
  • 11
  • 100
  • 118
0

I think using complicated regular expression isn't a way that should be used at all costs. In this case, using a simple method with four booleans will be easier to write, easier to read and probably also faster.

Danstahr
  • 4,190
  • 22
  • 38
0

You could check that it is:

  • not purely numbers and alphanumerics (this is slightly more aggressive than your conditions say);
  • not purely lowercase and special characters

A single regular expression to check this would be something like

(?![A-Za-z0-9]+$|[a-z{},.<>;:'?/|`~!@#$%^&*()_-+= -]+$).{8,}

I intentionally ignored your exact specification. In particular, I did not want to allow Pass1234, and I don't think it makes sense to set a maximum length, and I did not restrict the set of allowed characters at all (i.e. there are minimum requirements, but you can go wild and use control characters or accented characters if you like). These things are easy enough to fix if you disagree.

To strictly implement your spec, you could check that the password does not consist of purely any two groups; so not all upper and lower case, and not all lowercase and numbers, and not all uppercase and numbers, and not all numbers and specials, and not all lowercase and specials, and not all uppercase and specials, but again, this is somewhat tedious and IMHO counter-productive.

You are not saying which regex flavor you are using. I have assumed you have the Perl negative lookahead (?!...) at your disposal. This is significantly harder if you are restricted to traditional BRE or ERE syntax.

tripleee
  • 175,061
  • 34
  • 275
  • 318
-1

I think you have achieve a very close result with a single regular expressions. Here is an example:

^((?=.*[!@#$%&,()_=/\.\-\*\+\?])[A-Za-z0-9!@#$%&,()_=/\.\-\*\+\?]{8,20})$

This says:

  • At least 1 control character
  • Can contain alpha numeric characters
  • Is between 8 and 20 characters long
Ayman
  • 1,682
  • 15
  • 17
  • You probably mean "punctuation etc" when you say "control". Technically, control characters are ASCII codes 0-31. – tripleee Aug 30 '13 at 10:31