0

I need a regular expression that checks that a password does not equal certain words (e.g. password and 12345). I have tried a few combinations but am having trouble with the negation.

It is for a DataAnnotations validation attribute if that is relevant.

Paul Hiles
  • 9,558
  • 7
  • 51
  • 76
  • I'm not sure if it's an exact duplicate but you might want to take a look at this question which is at least very similar: http://stackoverflow.com/questions/3131025/strong-password-regex – Hans Olsson Jan 20 '11 at 13:52
  • The list of 'weak' passwords will be long and never complete. Better define requirements for strong passwords and allow P@$$w0rd – H H Jan 20 '11 at 13:55
  • @ho1: It is not a duplicate. I just want to check that the password in not one of a few common passwords. @ho1 & Henk: I aggree but it is not my decision, just a business requirement. – Paul Hiles Jan 20 '11 at 14:03

2 Answers2

2

Negation in Regex works best with negative lookaheads like

"^(?!password)(?!12345)"

However, I think users can be quite clever when creating bad passwords, and creating an expression that catches them all will be quite difficult.

Jens
  • 25,229
  • 9
  • 75
  • 117
  • 2
    Agreed with Jens. If you're genuinely concerned about password strength then you should go all-out and implement a password strength algorithm. Wikipedia has some info on it: http://en.wikipedia.org/wiki/Password_strength – brindy Jan 20 '11 at 13:55
  • @Jens: Unfortunately this causes a validation failure for any text I put in. Any ideas? – Paul Hiles Jan 20 '11 at 14:07
  • `ToUpper` and check against a dictionary, enforce counts for various character types, etc. – user7116 Jan 20 '11 at 14:07
  • Personally, I think that you should let people use whatever password they see fit. If they don't think the information they are storing on your system is worth hiding behind a strong password, then that is for them to decide. However you may want to show a "rating" of the password just to let the user know how good their password is. However, I've seen these poorly implemented, where a 30 character passphrase was only rated as "fair" whereas an 8 character gibberish password was rated strong. – Kibbee Jan 20 '11 at 14:09
  • 1
    @TheFlowerGuy: Maybe the DataAnnotations automatically anchor the regex. You'd have to add `.*` at the end in that case. – Jens Jan 20 '11 at 14:09
  • And you might need to drop the quotes around the regex. – Tim Pietzcker Jan 20 '11 at 14:12
  • ^(?!password)(?!12345).* worked fine. It fails anything starting with password or 12345 rather than just those words but I can live with that. Thanks for everyone's suggestions, but my requirement is a business decision that has already been signed off and is out of my hands. – Paul Hiles Jan 20 '11 at 14:16
  • 1
    @The Flower Guy: Add a `$` after each word to allow "password7" =). I.e. `^(?!password$)..` – Jens Jan 20 '11 at 14:17
1

Do you really want to accomplish this using a regular expression? The more "weak" words you come up with, the longer and more confusing the regex will get. Why not just create a list of unaccepted words, and use a loop/LINQ to check if the password contains any of them? It'll still be plenty fast and easy to read.

One thing that neither the regex you're asking for, or my solution above takes care of is detecting n number of consecutive numbers/characters. Are you just looking for 12345? Or are you looking for something that will also detect strings like 1234567, 1234, or 56789? That will require some extra work.

Ocelot20
  • 10,510
  • 11
  • 55
  • 96