I am having a bit of a hard time with a password requirement regular expression for an ASP.NET project
Out requirements are the following
Must be at least 8 characters
Must have at least 3 of the 4 following:
Have at least 1 UPPERCASE letter
Have at least 1 lowercase letter
Have at least 1 special character
Have at least 1 number
The regular expression I am using is as follows (this is escaped and encoded for use in the web.config xml file:
passwordStrengthRegularExpression="^.*(?=.{8,})(?=.*[a-zA-Z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\']).*$"
I cant figure out how to allow for one of the requirements to be optional.
the password Reaction7 should be sufficient, but it is rejected because it doesn't have a special character.
Anyone know what I can do to evaluate the 3 out of 4 requirements other than length?
Not sure I like this solution, but if you're limited to using only a single regex (which looks like the case), you could enumerate all possibilities with a pipe-or group:
passwordStrengthRegularExpression="^.*(?=.{8,})((?=.*[A-Z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*\d)).*$"
It is rather long but does get the job done. Adding a fifth requirement will make this string explode in size though, so it's not exactly "extendable".
Related
I'm writing a regular expression to validate a password. The conditions are:
Password must contain at least two special characters
Password must be at least eight characters long
Password must be alpha numeric
I'm able to make sure that there are atleast 8 characters, atleast one alphabet, atleast one number and atleast one special character using the below Regular expression:
(?=.*[A-z])(?=.*[0-9])(?=.*?[!##$%\^&*\(\)\-_+=;:'""\/\[\]{},.<>|`]).{8,32}
Only condition i'm not able to get is there must be atleast two special characters (Above Reg exp is atleast one special characters). Does anyone have any idea on this?
Thanks in advance.
Only condition i'm not able to get is there must be atleast two special characters.
Make it twice by putting the pattern which was present inside the lookahead inside a group and then make it to repeat exactly two times.
^(?=.*[A-Za-z])(?=.*[0-9])(?=(?:.*?[!##$%\^&*\(\)\-_+=;:'""\/\[\]{},.<>|`]){2}).{8,32}$
If you want to allow atleast 8 characters then you don't need to include 32 inside the range quantifier, just .{8,} would be enough.
What would be the correct regex, to satisfy the following password criteria:
Must include at least 1 lower-case letter.
Must include at least 1 upper-case letter.
Must include at least 1 number.
Must include at least 1 special character (only the following special characters are allowed: !#%).
Must NOT include any other characters then A-Za-z0-9!#% (must not include ; for example).
Must be from 8 to 32 characters long.
This is what i tried, but it doesn't work:
^(?=.*?[a-z])(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[\!\#\#\$\%\&\/\(\)\=\?\*\-\+\-\_\.\:\;\,\]\[\{\}\^]).{8,32}
But it should be:
^(?=.*?[a-z])(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[\!\#\#\$\%\&\/\(\)\=\?\*\-\+\-\_\.\:\;\,\]\[\{\}\^])[A-Za-z0-9!#%]{8,32}
But Unihedron's solution is better anyways, just wanted to mention this for the users which will read this question in the future. :)
Unihedron's solution (can also be found in his answer below, i copied it for myself, just in case he changes (updates it to an better version) it in his answer):
^(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=\D*\d)(?=.*?[!#%])[A-Za-z0-9!#%]{8,32}$
I ended up with the following regex:
^(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=\D*\d)(?=.*?[\!\#\#\$\%\&\/\(\)\=\?\*\-\+\-\_\.\:\;\,\]\[\{\}\^])[A-Za-z0-9\!\#\#\$\%\&\/\(\)\=\?\*\-\+\-\_\.\:\;\,\]\[\{\}\^]{8,60}$
Thanks again Unihedron and skamazin. Appreciated!
Use this regex:
/^(?=[^a-z]*[a-z])(?=[^A-Z]*[A-Z])(?=\D*\d)(?=[^!#%]*[!#%])[A-Za-z0-9!#%]{8,32}$/
Here is a regex demo!
Read more:
Regex for existence of some words whose order doesn't matter
Test your possible passwords on this and see if they give you the proper result
The regex I used is:
^(?=.*[a-z])(?=.*[A-Z])(?=.*?[0-9])(?=.*?[!#%])[A-Za-z0-9!#%]{8,32}$
I've looked on here for some ideas but I still seem to be struggling with coming up with a regular expression to meet my requirements.
I need a regular expression to check a password format, the criteria are:
At least 1 uppercase letter
At least 1 number
Only alphanumeric characters (no special characters)
At least 8 characters long
The regular expression I'm using is:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$
However this is also allowing characters like !$&.
Is there a modification I need to make to this to get it to stop these special characters being accepted?
Change the last part .{8,} to [a-zA-Z\d]{8,}
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$
OK so I have a mental block when it comes to regex - but I was told to come up with a regex expression that met these conditions:
must be at least 8 characters (easy!)
must have characters from at least 3 of the 4 different character types - upper case, lower case, digits, symbols (ok)
must have at least 5 different characters
must not have a long sequence of the same character type (eg. asdnme would be considered bad as its a long sequence of lower case)
(?=^.{8,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))
This regex expression satisfies 1 and 2. But I am struggling to find examples for 3 and 4.
If any regex enthusiasts could help me - it would be appreciated. :)
Note: I would prefer not to use Regex - this is me asking anyone if it's possible to check for the 3rd and 4th condition using regex? And please don't downvote me for the belief that regex is the only solution. I don't believe it is - our achitect decided the least effort would be involved in using regex to solve this issue.
Personally I think this level of password security is going to make the system unusable!!! But maybe I don't care enough about password security :)
Note: We're trying to make use of the Microsoft ASPNET Membership - regex expression. Which is why I thought it needed to be a single expression. I get that it's horrible to try to read/understand.
If anyone can provide individual regex expressions for
- must have at least 5 different characters
- must not have a long sequence of the same character type (eg. asdnme would be considered bad as its a long sequence of lower case) - assume 5 sequence is too long..
Or c# code /javascript ? Although this is specific to one particular client - we don't want it blanked applied to all clients. Which is probably why the architect wanted a nice regex expression that you could just slot in at deployment time. :(
Found someone else's example that works in .NET
^(?!.*(.)\1{2})((?[A-Z])|(?[a-z])|(?\d)|(?[^A-Za-z\d])){8,}(?(Upper)(?(Lower)(?(Numeric)|(?(NonAlphaNumeric)|(?!)))|(?(Numeric)(?(NonAlphaNumeric)|(?!))|(?!)))|(?(Lower)(?(Numeric)(?(NonAlphaNumeric)|(?!))|(?!))|(?!)))$
Unfortunately it meets these conditions:
Must have a minimum length of 8 characters
Must contain characters from three of the four following types:
English upper-case characters (A - Z)
English lower-case characters (a - z)
Numerical digits (0 - 9)
Non-alphanumeric characters
No character can be repeated 3 or more times in a row, e.g.
BB (letter B twice) is OK, but BBB (letter B 3 times) is NOT OK.
But it doesn't detect that at least 5 different characters are used :(
Nevermind - the answer below seems to work. Only thing is that it appears to allow 4 different characters rather than requiring 5?
I have tweaked it to be:
^(?=.{8,})(?:(?=.\d)(?=.[A-Z])(?=.[a-z])|(?=.\d)(?=.[^A-Za-z0-9\s])(?=.[a-z])|(?=.[^A-Za-z0-9\s])(?=.[A-Z])(?=.[a-z])|(?=.\d)(?=.[A-Z])(?=.[^A-Za-z0-9\s]))(?=(.)(?>.?(?!\1})(.))(?>.?(?!\1}|\2)(.))(?>.?(?!\1|\2|\3)(.))(?>.?(?!\1|\2|\3|\4)(.))(?>.?(?!\1|\2|\3|\4|\5).))(?!.?\d{4})(?!.?[a-z]{4})(?!.?[A-Z]{4})(?!.*?[^A-Za-z0-9\s]{4})
Here's hoping we never have to touch it again ;) With more time if this crops up again I'll push the code option I think :)
Edit: Discovered that the string isn't quite right. It's not passing "!tt23yyy" without having to add another digit or special character. So have canned the regex idea and am going with the code option. It's just too hard to debug regex issues if you don't comprehend regex :) (understandably so)
Here is a PCRE/Perl regex that would do all that:
/
^ # anchor it
# must be at least 8 characters
(?=.{8,})
# must have characters from at least 3 of the 4 different character types
(?:
(?=.*\d)(?=.*[A-Z])(?=.*[a-z])
| (?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])
| (?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])
| (?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s])
)
# at least 5 different chars
(?=
(.)
(?>.*?(?!\1}) (.))
(?>.*?(?!\1}|\2) (.))
(?>.*?(?!\1|\2|\3) (.))
(?>.*?(?!\1|\2|\3|\4) . )
)
# no long sequence of the same character type (if long is 3)
(?!.*?\d{3})
(?!.*?[a-z]{3})
(?!.*?[A-Z]{3})
(?!.*?[^A-Za-z0-9\s]{3})
/xs
Not tested so could have missed something. Enjoy. ;-)
If you are really going to be using that (on longer strings), you might want to add some (more) atomic grouping (?>foo) (or the like) to prevent exponential backtracking.
I am using this regex to validate my password.
My password -
should be alphanumeric ONLY,
contains at least 8 characters,
at least 2 numbers
and at least 2 alphabet.
My regex is
^.*(?=.{8,})(?=.*\d*\d)(?=.*[a-zA-Z]*[a-zA-Z])(?!.*\W).*$
but unfortunately it still matches if I try to put special characters at the beginning.
For example #password12, !password12.
Because your pattern begins and ends with .*, it will match anything at the beginning or end of the string, including special characters.
You shouldn't be solving this problem with a single regular expression, it makes the code hard to read and hard to modify. Write one function for each rule using whatever makes sense for that rule, then your validation script becomes crystal clear:
if is_alpha_only(password) &&
len(password) > = 8 &&
has_2_or_more_numbers(password) &&
has_2_or_more_alpha(password) ...
Seriously, what's the point of cramming all of that into a single regular expression?
And why disallow special characters? There's simply no reason for that.
You can use the following regex in case insensitive mode:
^(?=[a-z]*[0-9][a-z]*[0-9])^(?=[0-9]*[a-z][0-9]*[a-z])[a-z0-9]{8,}$
See it
I had a similar situation in which the client needed 4 alpha, 1 number, and between 8 and 20 characters. I've adapted my solution to your problem:
^(?=(?:[a-zA-Z0-9]*[a-zA-Z]){2})(?=(?:[a-zA-Z0-9]*\d){2})[a-zA-Z0-9]{8,}$
I understand the other answers dissuading you from this route, but sometimes the client wants what the client wants, regardless of your arguments to the contrary.