I am using this regex to validate my password.
My password -
should be alphanumeric ONLY,
contains at least 8 characters,
at least 2 numbers
and at least 2 alphabet.
My regex is
^.*(?=.{8,})(?=.*\d*\d)(?=.*[a-zA-Z]*[a-zA-Z])(?!.*\W).*$
but unfortunately it still matches if I try to put special characters at the beginning.
For example #password12, !password12.
Because your pattern begins and ends with .*, it will match anything at the beginning or end of the string, including special characters.
You shouldn't be solving this problem with a single regular expression, it makes the code hard to read and hard to modify. Write one function for each rule using whatever makes sense for that rule, then your validation script becomes crystal clear:
if is_alpha_only(password) &&
len(password) > = 8 &&
has_2_or_more_numbers(password) &&
has_2_or_more_alpha(password) ...
Seriously, what's the point of cramming all of that into a single regular expression?
And why disallow special characters? There's simply no reason for that.
You can use the following regex in case insensitive mode:
^(?=[a-z]*[0-9][a-z]*[0-9])^(?=[0-9]*[a-z][0-9]*[a-z])[a-z0-9]{8,}$
See it
I had a similar situation in which the client needed 4 alpha, 1 number, and between 8 and 20 characters. I've adapted my solution to your problem:
^(?=(?:[a-zA-Z0-9]*[a-zA-Z]){2})(?=(?:[a-zA-Z0-9]*\d){2})[a-zA-Z0-9]{8,}$
I understand the other answers dissuading you from this route, but sometimes the client wants what the client wants, regardless of your arguments to the contrary.
Related
I'm trying to create a regex that will meet the following requirements for a password.
Must have at least 1 uppercase
Must have at least 1 lowercase
Must contain a number OR a symbol - FAILS
Must be between 8 to 16 characters long
^(?=.*\d|[!##\$%\^&])(?=.*[a-z])(?=.*[A-Z]).{8,16}$
I've got it working, well almost, except the OR part.
It verifies for instance Tester01 and Tester0% but it wont verify Tester%$ or anything with two symbols, just in case the user doesn't put in a number. I've also tried putting brackets around the \d thinking I had to separate the digits from the symbols but that didn't work.
Your alternation condition isn't correct. Instead you can just slide the \d within the special characters bracket and change your regex to this,
^(?=.*[\d!##\$%\^&])(?=.*[a-z])(?=.*[A-Z]).{8,16}$
Now your this look ahead (?=.*[\d!##\$%\^&]) behaves exactly as you wanted. It will ensure that either one character is any digit or the other special characters mentioned in your character class.
Demo
The reason why your look ahead (?=.*\d|[!##\$%\^&]) fails is because your first alternation condition is .*\d and second is merely [!##\$%\^&] where as if correctly written it should have been either this,
(?=.*\d|.*[!##\$%\^&])
OR
(?=.*(\d|[!##\$%\^&]))
And you really don't need alternation at all if you write it like the way I have written above, where you can just put \d within the character set itself, like this,
(?=.*([\d!##\$%\^&]))
Use the principle of contrast with multiple lookaheads.
^
(?=[^A-Z]*[A-Z])
(?=[^a-z]*[a-z])
(?=[^\d!##\$%\^&]*[^\d!##\$%\^&])
.{8,16}
$
But please read this post as well (why password validations are bad?) and see a demo on regex101.com.
Working on password-field.
The regex expression for a field container letters (lowercase, uppercase), digits and some special characters will look like this:
^([a-z,A-Z,0-9,#,$,%,&,_,]{8,20})*$
Tell me please, how this should be modified if I want every pass phrase to have at least one lowercase, one uppercase and one digit?
For example, for 3-characters long pass it is:
'aB3' - pass
'ab3' - fail
You need to use lookaheads and also you need to remove all the commas present inside the character class.
^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?\d)[a-zA-Z0-9#$%&_]{8,20}$
Note that the password must be atleast 8 and atmost 20 chars long.
DEMO
THIS ANSWER HAS BEEN ARCHIVED BECAUSE IT SUCKS.
Use the + token, which tells the engine to attempt to find one or more of the preceding token. e.g:
^(?=[a-z]+)(?=[A-Z])+(?=[0-9])+(?=[#$%&_\,\.]*)$
Then, use a length check elsewhere in the code to verify length.
I am having a bit of a hard time with a password requirement regular expression for an ASP.NET project
Out requirements are the following
Must be at least 8 characters
Must have at least 3 of the 4 following:
Have at least 1 UPPERCASE letter
Have at least 1 lowercase letter
Have at least 1 special character
Have at least 1 number
The regular expression I am using is as follows (this is escaped and encoded for use in the web.config xml file:
passwordStrengthRegularExpression="^.*(?=.{8,})(?=.*[a-zA-Z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\']).*$"
I cant figure out how to allow for one of the requirements to be optional.
the password Reaction7 should be sufficient, but it is rejected because it doesn't have a special character.
Anyone know what I can do to evaluate the 3 out of 4 requirements other than length?
Not sure I like this solution, but if you're limited to using only a single regex (which looks like the case), you could enumerate all possibilities with a pipe-or group:
passwordStrengthRegularExpression="^.*(?=.{8,})((?=.*[A-Z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*\d)(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!##$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*\d)).*$"
It is rather long but does get the job done. Adding a fifth requirement will make this string explode in size though, so it's not exactly "extendable".
So I wanted to limit a textbox which contains an apartment number which is optional.
Here is the regex in question:
([0-9]{1,4}[A-Z]?)|([A-Z])|(^$)
Simple enough eh?
I'm using these tools to test my regex:
Regex Analyzer
Regex Validator
Here are the expected results:
Valid
"1234A"
"Z"
"(Empty string)"
Invalid
"A1234"
"fhfdsahds527523832dvhsfdg"
Obviously if I'm here, the invalid ones are accepted by the regex. The goal of this regex is accept either 1 to 4 numbers with an optional letter, or a single letter or an empty string.
I just can't seem to figure out what's not working, I mean it is a simple enough regex we have here. I'm probably missing something as I'm not very good with regexes, but this syntax seems ok to my eyes. Hopefully someone here can point to my error.
Thanks for all help, it is greatly appreciated.
You need to use the ^ and $ anchors for your first two options as well. Also you can include the second option into the first one (which immediately matches the third variant as well):
^[0-9]{0,4}[A-Z]?$
Without the anchors your regular expression matches because it will just pick a single letter from anywhere within your string.
Depending on the language, you can also use a negative look ahead.
^[0-9]{0,4}[A-Za-z](?!.*[0-9])
Breakdown:
^[0-9]{0,4} = This look for any number 0 through 4 times at the beginning of the string
[A-Za-z] = This look for any characters (Both cases)
(?!.*[0-9]) = This will only allow the letters if there are no numbers anywhere after the letter.
I haven't quite figured out how to validate against a null character, but that might be easier done using tools from whatever language you are using. Something along this logic:
if String Doesn't equal $null Then check the Rexex
Something along those lines, just adjusted for however you would do it in your language.
I used RegEx Skinner to validate the answers.
Edit: Fixed error from comments
OK so I have a mental block when it comes to regex - but I was told to come up with a regex expression that met these conditions:
must be at least 8 characters (easy!)
must have characters from at least 3 of the 4 different character types - upper case, lower case, digits, symbols (ok)
must have at least 5 different characters
must not have a long sequence of the same character type (eg. asdnme would be considered bad as its a long sequence of lower case)
(?=^.{8,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))
This regex expression satisfies 1 and 2. But I am struggling to find examples for 3 and 4.
If any regex enthusiasts could help me - it would be appreciated. :)
Note: I would prefer not to use Regex - this is me asking anyone if it's possible to check for the 3rd and 4th condition using regex? And please don't downvote me for the belief that regex is the only solution. I don't believe it is - our achitect decided the least effort would be involved in using regex to solve this issue.
Personally I think this level of password security is going to make the system unusable!!! But maybe I don't care enough about password security :)
Note: We're trying to make use of the Microsoft ASPNET Membership - regex expression. Which is why I thought it needed to be a single expression. I get that it's horrible to try to read/understand.
If anyone can provide individual regex expressions for
- must have at least 5 different characters
- must not have a long sequence of the same character type (eg. asdnme would be considered bad as its a long sequence of lower case) - assume 5 sequence is too long..
Or c# code /javascript ? Although this is specific to one particular client - we don't want it blanked applied to all clients. Which is probably why the architect wanted a nice regex expression that you could just slot in at deployment time. :(
Found someone else's example that works in .NET
^(?!.*(.)\1{2})((?[A-Z])|(?[a-z])|(?\d)|(?[^A-Za-z\d])){8,}(?(Upper)(?(Lower)(?(Numeric)|(?(NonAlphaNumeric)|(?!)))|(?(Numeric)(?(NonAlphaNumeric)|(?!))|(?!)))|(?(Lower)(?(Numeric)(?(NonAlphaNumeric)|(?!))|(?!))|(?!)))$
Unfortunately it meets these conditions:
Must have a minimum length of 8 characters
Must contain characters from three of the four following types:
English upper-case characters (A - Z)
English lower-case characters (a - z)
Numerical digits (0 - 9)
Non-alphanumeric characters
No character can be repeated 3 or more times in a row, e.g.
BB (letter B twice) is OK, but BBB (letter B 3 times) is NOT OK.
But it doesn't detect that at least 5 different characters are used :(
Nevermind - the answer below seems to work. Only thing is that it appears to allow 4 different characters rather than requiring 5?
I have tweaked it to be:
^(?=.{8,})(?:(?=.\d)(?=.[A-Z])(?=.[a-z])|(?=.\d)(?=.[^A-Za-z0-9\s])(?=.[a-z])|(?=.[^A-Za-z0-9\s])(?=.[A-Z])(?=.[a-z])|(?=.\d)(?=.[A-Z])(?=.[^A-Za-z0-9\s]))(?=(.)(?>.?(?!\1})(.))(?>.?(?!\1}|\2)(.))(?>.?(?!\1|\2|\3)(.))(?>.?(?!\1|\2|\3|\4)(.))(?>.?(?!\1|\2|\3|\4|\5).))(?!.?\d{4})(?!.?[a-z]{4})(?!.?[A-Z]{4})(?!.*?[^A-Za-z0-9\s]{4})
Here's hoping we never have to touch it again ;) With more time if this crops up again I'll push the code option I think :)
Edit: Discovered that the string isn't quite right. It's not passing "!tt23yyy" without having to add another digit or special character. So have canned the regex idea and am going with the code option. It's just too hard to debug regex issues if you don't comprehend regex :) (understandably so)
Here is a PCRE/Perl regex that would do all that:
/
^ # anchor it
# must be at least 8 characters
(?=.{8,})
# must have characters from at least 3 of the 4 different character types
(?:
(?=.*\d)(?=.*[A-Z])(?=.*[a-z])
| (?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])
| (?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])
| (?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s])
)
# at least 5 different chars
(?=
(.)
(?>.*?(?!\1}) (.))
(?>.*?(?!\1}|\2) (.))
(?>.*?(?!\1|\2|\3) (.))
(?>.*?(?!\1|\2|\3|\4) . )
)
# no long sequence of the same character type (if long is 3)
(?!.*?\d{3})
(?!.*?[a-z]{3})
(?!.*?[A-Z]{3})
(?!.*?[^A-Za-z0-9\s]{3})
/xs
Not tested so could have missed something. Enjoy. ;-)
If you are really going to be using that (on longer strings), you might want to add some (more) atomic grouping (?>foo) (or the like) to prevent exponential backtracking.