A sensible PasswordStrengthRegularExpression

Question

We're using the standard ASP.NET authentication provider (AspNetSqlMembershipProvider as it happens) and the defualt password strength requirement is a little excessive for our needs.

We require our users to enter a password that is alphanumeric at least (i.e, letters and at least one number mandatory, mixed case and non-alphanumeric characters if the user so desires).

Can anyone suggest what PasswordStrengthRegularExpression setting would achieve this?

Also, how can we control the error message shown to the user if the password they try to use fails the regular expression check?

Note

It was found that the minRequiredNonalphanumericCharacters property must be set to 0, otherwise this setting overrides any regular expression that is used

Answer 1

We just implemented the following expression to validate a pwd of 8 to 16 characters and contain three of the following 4 items: upper case letter, lower case letter, a symbol, a number

(?=^[^\s]{8,16}$)((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*

An explanation of individual components:

• (?=^[^\s]{8,16}$) - contain between 8 and 16 non-whitespace characters
• (?=.*?\d) - contains 1 numeric
• (?=.*?[A-Z]) - contains 1 uppercase character
• (?=.*?[a-z]) - contains 1 lowercase character
• (?=.*?[^\w\d\s]) - contains 1 symbol

notice after the length segment the double parens and later in the expression you'll see several |'s. This allows for the either/or comparison of the 4 possible combinations that are allowed.

After writing this I just noticed this question was asked over a year ago. Since I had come across this question in my search I hope someone else can also benefit from our solution.