0

I am working on input sanitation and want to write the regular expression for password validation. I was using OWASP ESAPI for the validation of the input parameters but I cant do that since regex provided for password validation by ESAPI is not satisfying all the conditions.

such as

• 8-20 characters using letters and numbers

• Cannot have 3 or more consecutive identical letters, numbers, or special characters

• Cannot contain a space

Optional:

• One or more special characters, except for “ & ’ ⁄ < > [ \ ] { | } ~ ^ !

• Case sensitive

PWASP ESAPI regex -![CDATA[^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\-\$\^\@\/]{8,32}$]]

I tried to modify it but i was not getting expected results as well as i am not super confidant with regex as i never used them before. How can i create a regex that can incorporate all the conditions?

Thank you

Siddhesh Palav
  • 1
  • 1
    May I ask: why? Apart from >1 special char and 8+ chars all the constraints are actively bad. – luk2302 Mar 19 '19 at 20:18
  • code is related to legacy application – Siddhesh Palav Mar 19 '19 at 20:28
  • NIST recommendations surrounding passwords have changed. https://pages.nist.gov/800-63-3/sp800-63b.html Instead of looking to build password complexity into your tool. Might be better to leverage a service to check if the password has been compromised and to use some sort of guidance tool to help your end users choose stronger passphrases. – Berkley Lamb Mar 19 '19 at 20:40
  • You might find [Reference - Password Validation](https://stackoverflow.com/q/48345922/3600709) useful. – ctwheels Mar 27 '19 at 15:19

2 Answers2

0

I would suggest that you do not use RegEx for this, as it gets tedious to write, and even more tedious to maintain.

Preferably you'd look for a library that allows you to pass a configuration (something like passay).

If you don't want that you should use common string functions to check for length (str.length(), and existence of numbers and special characters (like str.matches()).

Not only will it be easier to maintain - it will also be faster since very complicated RegEx queries can quickly get quite slow.

Daniel
  • 10,641
  • 12
  • 47
  • 85
-1

So i come up with solution but its in parts

so here are the regex for each condition

^((.)\1{3}) - Cannot have 3 or more consecutive identical letters, numbers, or special characters

[a-zA-Z0-9\S] - case sensitive cannot contain spaces and letters and numbers

[^ \“ & '< > [ /]{|}~^!] - One or more special characters, except for “ & ’ ⁄ < > [ \ ] { | } ~ ^ !

{7,20}$ - range

but if combine them all together they wont work as expected...

any suggestion?

Siddhesh Palav
  • 1