0

I have a batch file that will prompt the user to provide a user name and password. I am trying to check if the password has the user name in it. I found this example but can't seem to get it to work:

@setlocal enableextensions enabledelayedexpansion
@echo off
SET /P userName=%1
SET /P userPassword=%1
if not x%userPassword:userName=%==x%userPassword% (
GOTO createUser
)else (
GOTO invalidPassword
)

I use these values to create a Windows User account:

:createUser
net user %$userName% "%$userPassword%" /ADD /PASSWORDCHG:NO
WMIC USERACCOUNT WHERE "Name="%$userName%"" SET PasswordExpires=FALSE

:invalidPassword
ECHO password contains user name
aschipfl
  • 33,626
  • 12
  • 54
  • 99
joey.coyle
  • 107
  • 1
  • 9
  • [The Windows command prompt is *NOT* a DOS prompt!](https://scalibq.wordpress.com/2012/05/23/the-windows-command-prompt-is-not-a-dos-prompt/) – aschipfl Mar 23 '17 at 12:23
  • `)else (` --> `) else (` – aschipfl Mar 23 '17 at 12:26
  • This is not a duplicate question. I am comparing two variables not one like in the quoted duplicate question. If you would take the time to help with this issue rather than mark it as duplicate you would be more helpful. – joey.coyle Mar 23 '17 at 13:31
  • 1
    @aschipfl it's only a cosmetic bug. Both `if 1==1 (echo 1)else (echo 2)` with true and with no-true condition `if 1==2 (echo 1)else (echo 2)` work… – JosefZ Mar 23 '17 at 16:15
  • @JosefZ, thank you; seems I have confused it with `) else(` what I have sometimes seen here... – aschipfl Mar 23 '17 at 19:21

1 Answers1

1

This should work:

@echo off
setlocal enabledelayedexpansion
set /p userName=Username:
set /p userPassword=Password:
set replacedUsername=!userPassword:%userName%=!
if not !replacedUsername!==%userPassword% (
    echo invalid password
    pause
    exit
)
net user %$userName% "%$userPassword%" /ADD /PASSWORDCHG:NO
WMIC USERACCOUNT WHERE "Name="%$userName%"" SET PasswordExpires=FALSE

After the user inputs a name and a password we take the username as a substring and replace this substring inside the password with an empty string. If the password remains unchanged, we know: the username is not a substring of the password string. Otherwise, the modified password would differ from the original password so we know that it is invalide.

MichaelS
  • 5,941
  • 6
  • 31
  • 46
  • Passwords are case sensitive, the string replacement isn't. While it isn't a good Idea to have the name inside inside the password, a different unusual casing would lessen (if only a bit) the risc. –  Mar 23 '17 at 12:43
  • MichaelS, That works thank you. I also need to make sure that the password is at least 7 character and from 3 of the following groups. 1. English uppercase characters (A through Z) 2. English lowercase characters (a through z) 3. Base 10 digits (0 through 9) 4. Non-alphabetic characters (for example, !, $, #, %). I think I would have to ask this in a separate questions. – joey.coyle Mar 23 '17 at 13:44
  • @joey.coyle Yes, I guess you should post a new question. – MichaelS Mar 23 '17 at 13:48
  • Try username ˙abc˙ and password `a!b^c` or `a^b!c`. You could disable delayed expansion `call set "replacedUsername=%%userPassword:%userName%=%%"` an properly quote `"%userPassword%"` everywhere. Should work for all `cmd` poisonous characters like `!^%|<>` in a password. – JosefZ Mar 23 '17 at 16:53