Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Regular Expression Validator (Password Strength)

I have a validation control that has the following expression:

(?=(.*\\d.*){2,})(?=(.*\\w.*){2,})(?=(.*\\W.*){1,}).{8,}

That's a password with at least 2 digits, 2 alpha characters, 1 non-alphanumeric and 8 character minimum. Unfortunately this doesn't seem to be cross-browser compliant.

This validation works perfectly in Firefox, but it does not in Internet Explorer.

A combination of each of your answers results in:

var format = "^(?=.{" + minLength + ",})" + 
    (minAlpha > 0 ? "(?=(.*[A-Za-z].*){" + minAlpha + ",})" : "") + 
    (minNum > 0 ? "(?=(.*[0-9].*){" + minNum + ",})" : "") + 
    (minNonAlpha > 0 ? "(?=(.*\\W.*){" + minNonAlpha + ",})" : "") + ".*$";

EX: "^(?=.{x,})(?=(.*[A-Za-z].*){y,})(?=(.*[0-9].*){z,})(?=(.*\W.*){a,}).*$"

The important piece is having the (?.{x,}) for the length first.

like image 985
nyxtom Avatar asked Oct 13 '08 20:10

nyxtom


People also ask

Which Validator is used for password in asp net?

To validate for strong passwords we will use RegularExpressionValidator with REGEX. For this example we will take three different scenarios: Validate strong password which must have 8-10 characters long with at least one numeric character.

What is password strength validator?

A password strength meter is an indicator, either in graphical or text form, of the strength of a password as entered by a user. A password strength meter shows how resistant a given password might be to password cracking attempts like brute force and dictionary attacks.

What is regex validator control in asp net?

This validator is used to validate the value of an input control against the pattern defined by a regular expression. It allows us to check and validate predictable sequences of characters like: e-mail address, telephone number etc.


2 Answers

(?=(.*\W.*){0,}) is not 0 non-alphanumeric characters. It is at least 0 non-alphanumeric characters. If you wanted the password to not contain any non-alphanumeric characters you could do either (?!.*\W) or (?=\w*$).

A simpler solution would be to skip the \W look-ahead, and use \w{8,} instead of .{8,}.

Also, \w includes \d. If you wanted just the alpha you could do either [^\W\d] or [A-Za-z].

/^(?=(?:.*?\d){2})(?=(?:.*?[A-Za-z]){2})\w{8,}$/

This would validate the password to contain at least two digits, two alphas, be at least 8 characters long, and contain only alpha-numeric characters (including underscore).

  • \w = [A-Za-z0-9_]
  • \d = [0-9]
  • \s = [ \t\n\r\f\v]

Edit: To use this in all browsers you probably need to do something like this:

var re = new RegExp("^(?=(?:.*?\\d){2})(?=(?:.*?[A-Za-z]){2})\\w{8,}$");
if (re.test(password)) { /* ok */ }

Edit2: The recent update in the question almost invalidates my whole answer. ^^;;

You should still be able to use the JavaScript code in the end, if you replace the pattern with what you had originally.

Edit3: OK. Now I see what you mean.

/^(?=.*[a-z].*[a-z])(?=.*[0-9].*[0-9]).{3,}/.test("password123") // matches
/^(?=.*[a-z].*[a-z])(?=.*[0-9].*[0-9]).{4,}/.test("password123") // does not match
/^(?=.*[a-z].*[a-z]).{4,}/.test("password123")                   // matches

It seems (?= ) isn't really zero-width in Internet Explorer.

http://development.thatoneplace.net/2008/05/bug-discovered-in-internet-explorer-7.html

Edit4: More reading: http://blog.stevenlevithan.com/archives/regex-lookahead-bug

I think this can solve your problem:

/^(?=.{8,}$)(?=(?:.*?\d){2})(?=(?:.*?[A-Za-z]){2})(?=(?:.*?\W){1})/
new RegExp("^(?=.{8,}$)(?=(?:.*?\\d){2})(?=(?:.*?[A-Za-z]){2})(?=(?:.*?\\W){1})")

The (?=.{8,}$) needs to come first.

like image 50
Markus Jarderot Avatar answered Oct 13 '22 00:10

Markus Jarderot


This will get you 2 min digits, 2 min characters, and min 8 character length... I refuse to show you how to not allow users to have non-alphanumeric characters in their passwords, why do sites want to enforce less secure passwords?

^(?=.*\d{2})(?=.*[a-zA-Z]{2}).{8,}$
like image 21
sontek Avatar answered Oct 12 '22 22:10

sontek