8

I need strong password validation regex

Special Characters - Not Allowed
Spaces - Not Allowed
Numeric Character - At least one character
At least one Capital Letter 
Minimum and Maximum Length of field - 6 to 12 Characters
Repetitive Characters - Allowed only two repetitive characters

my Regex is ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s)(?=(?:(\w)(?!\1{2}))+).{6,12}$ but it ignores special characters (where to add?)

Please help!

Maxim
  • 1,555
  • 5
  • 18
  • 28
  • 13
    What led you to believe that a regular expression was the best way to solve this problem? – Greg Hewgill Jun 28 '10 at 08:40
  • 9
    Why are you disallowing spaces and special characters? Doesn't that make it a *weak* password regex, instead of a strong one? Your criteria also disallow the user entering a passphrase (a series of words, much longer than a normal password) since you require a digit, no spaces, and limit the length of the password. – Douglas Jun 28 '10 at 08:41
  • Douglas, special characters allowed only (@) however: *, -, + etc is not allowed special characters. This is a task :) – Maxim Jun 28 '10 at 08:45
  • 3
    These rules do not create a strong password. They are a long way off. http://www.microsoft.com/protect/fraud/passwords/create.aspx – codingbadger Jun 28 '10 at 08:47
  • 1
    When you have a long regex like that it's often worth breaking it down into multiple shorter ones, or inserting line breaks and white space as logical delimiters with the ignore white space flag set. – Phil Gan Jun 28 '10 at 10:36

4 Answers4

34

Doesn't sound like a task particularly suited for Regex, since you want to test multiple conditions simultaneously. (You could use multiple regexes, but then normal C# with LINQ is a nicer way to test it.) Try the following function:

public static bool IsStrongPassword(string password)
{
    // Minimum and Maximum Length of field - 6 to 12 Characters
    if (password.Length < 6 || password.Length > 12)
        return false;

    // Special Characters - Not Allowed
    // Spaces - Not Allowed
    if (!(password.All(c => char.IsLetter(c) || char.IsDigit(c))))  
        return false;

    // Numeric Character - At least one character
    if (!password.Any(c => char.IsDigit(c)))
        return false;

    // At least one Capital Letter
    if (!password.Any(c => char.IsUpper(c)))
        return false;

    // Repetitive Characters - Allowed only two repetitive characters
    var repeatCount = 0;
    var lastChar = '\0';
    foreach(var c in password)
    {
        if (c == lastChar)
            repeatCount++;
        else
            repeatCount = 0;
        if (repeatCount == 2)
            return false;
        lastChar = c;
    }

    return true;
}

Make sure you import System.Linq of course, and you're set to go.

Noldorin
  • 144,213
  • 56
  • 264
  • 302
  • Maybe one could combine the above LINQ approach with a couple of regexps that test stuff that regexps are good at? – Martin Wickman Jun 28 '10 at 09:03
  • 1
    @Maxim: Edited, that's included now. Repetitive characters is the only test I *might* do using regex, but I think the current approach is still fine. – Noldorin Jun 28 '10 at 09:04
  • 2
    +1: This method looks more maintainable than using a single regex. IMO even breaking down the single regex into smaller ones would be a step in the right direction. – Phil Gan Jun 28 '10 at 10:35
  • @Noldorin char.IsNumeric(c) should be char.IsDigit(c). Just a note of caution for anyone who comes here in future to use this. – ashutosh raina Jan 24 '13 at 19:02
  • @ashutoshraina: Yeah, I think you're right, cheers. It seems `IsNumeric` allows thousands separators, decimal points, etc. which one doesn't want. – Noldorin Jan 24 '13 at 20:03
  • I can not understand people that only asking "where is my repetative control!!" rather than thank to attentive answers... – Uğur Aldanmaz Aug 13 '14 at 13:20
  • char.IsNumeric should be replaced by char.IsDigit for c# / .NET 4.0 – Youp Bernoulli Apr 21 '18 at 07:08
26
^(?=.*[A-Z])(?=.*\d)(?!.*(.)\1\1)[a-zA-Z0-9@]{6,12}$
  • Special Characters - Not Allowed
  • Spaces - Not Allowed
  • Minimum and Maximum Length of field - 6 to 12 Characters
    Met by [a-zA-Z0-9@]{6,12}
  • Numeric Character - At least one character
    Met by positive lookahead (?=.*\d)
  • At least one Capital Letter
    Met by positive lookahead (?=.*[A-Z])
  • Repetitive Characters - Allowed only two repetitive characters
    I am not sure what you mean by this. The negative lookahead (?!.*(.)\1\1) makes sure that no character is allowed to appear more than two times in a row. Substring aa is okay, aaa is not.
    Make it (?!.*(.+)\1\1) to reject repeated substrings of length more than one (like ababab) or add .* before \1 to reject non-continuous repeated appearances too.
Community
  • 1
  • 1
Amarghosh
  • 58,710
  • 11
  • 92
  • 121
  • Repetitive Characters - i mean: allowed paassword, and not allowed paaassword or passsword. What i need to do in this case? – Maxim Jun 28 '10 at 09:13
  • I still insist my code is much more readable/maintainable! Bah, regex for everyting and anything. – Noldorin Jun 28 '10 at 09:25
  • 1
    @Maxim It seems my understanding was correct. The given regex should do it. – Amarghosh Jun 28 '10 at 09:29
  • @Noldorin I kind of agree with you. Regexes and kids are alike - understanding/maintaining someone else's stuff can be a headache. That said, regex is compact and its fun to write them :) – Amarghosh Jun 28 '10 at 09:32
  • @Amarghosh: Fun to write indeed, just not to read heh. Thus the downfall of Perl... – Noldorin Jun 28 '10 at 10:34
  • @Noldorin OP asked for regex, and he got one. If you ask me if I'd use (or be allowed to use) this regex in the production code with many people working on it... – Amarghosh Jun 28 '10 at 10:38
  • No no, I don't blame you. Just taking the opportunity to have a good rant. :) – Noldorin Jun 28 '10 at 10:49
  • @Noldorin too bad it ended so fast :) – Amarghosh Jun 28 '10 at 11:10
  • @Amarghosh, what if I wanted to allow special characters and repetitive characters? – Kala J Jun 04 '15 at 22:18
1

You can search the regex library

simendsjo
  • 4,739
  • 2
  • 25
  • 53
1

The following Jquery plugin called pwdMeter works and seems like a cool way to show the user what is and what isn't a strong password.

http://shouvik.net/pwdmeter.php

Isaac Nequittepas
  • 392
  • 3
  • 10