1

I am re-writting our password validation rules to meet a very strict set of requirements for a asp.net c# web forms application.

I am using regex from most of this (such as min characters, allowed characters etc).

One requirement that I am having trouble with finding the solution for is the following: Must contain characters from 2 out of the 4 allowed character classes.

In this case the allowed classes are uppercase, lowercase, numeric and special (US ASCII).

If anyone can help on how to write this that would be apprecicated. Thanks

gb19
  • 11
  • 1
  • 1
    Why such a weak password? This isnt' `a very strict set of requirements`,it's actually considered very weak. People should be allowed to use *large* passwords without artificial restrictions that force them to use *short, weak* passwords. Why only ASCII characters? Why dont' you let me type `Τί σε νοιάζει εσένα τί σκέφτονται οι άλλοι?` – Panagiotis Kanavos Oct 17 '17 at 12:15
  • 6
    In fact, the requirements are worse than weak. They *violate* the guidance by US's NIST, UK's NCSC and Microsoft's own [Password Guidance](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf). If you get breached, you'll be doubly liable for knowingly enforcing weak passwords. Check [Troy Hunt's article](https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/) on the current guidance. – Panagiotis Kanavos Oct 17 '17 at 12:17
  • I don't think it is possible to match everything in a single regex. But the easiest way would be to just use [contains](https://msdn.microsoft.com/en-us/library/dy85x1sa(v=vs.110).aspx) method to check for each restriction. But, take a look on the article @PanagiotisKanavos posted before doing anything you might regret later... – Leonardo Alves Machado Oct 17 '17 at 12:26
  • I would use 4 regexes and just have logic built around them in my code so as long as 2 pass it succeeds. – sniperd Oct 17 '17 at 12:48
  • Just to respond to Panagiotis Kanavos, This is not the full set of password requirements. This was just one of many requirements that I was unsure about. – gb19 Oct 17 '17 at 13:10

1 Answers1

1

The commenters all express valid concerns, but I'd just like to share this method for matching "at least 2 of 4 elements":

(?:.*?(?:a(?!.*a)|b(?!.*b)|c(?!.*c)|d(?!.*d))){2}

The letters 'a' to 'd' can be replaced with appropriate character classes for this question, but it can also be extended to more generally match "at least X of Y non-overlapping subexpressions".

jaytea
  • 1,861
  • 1
  • 14
  • 19