Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Regular expression to enforce complex passwords, matching 3 out of 4 rules

Tags:

regex

I have the following criteria for creating a regular expression for a password that conforms to the following rules:

  1. The password must be 8 characters long (this I can do :-)).

The password must then contain characters from at least 3 of the following 4 rules:

  1. Upper case
  2. Lower case
  3. Numbers
  4. Non-alpha numeric

I can make the expression match ALL of those rules with the following expression:

/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.[\W]).{8,}$/ 

But I am struggling with how to do this in such a way that it only needs to solve any 3 of the 4 rules.

Can anyone help me out with this?

like image 229
dagda1 Avatar asked Aug 12 '10 10:08

dagda1


People also ask

What does regex 0 * 1 * 0 * 1 * Mean?

Basically (0+1)* mathes any sequence of ones and zeroes. So, in your example (0+1)*1(0+1)* should match any sequence that has 1. It would not match 000 , but it would match 010 , 1 , 111 etc. (0+1) means 0 OR 1.

How do you match expressions in regex?

To match a character having special meaning in regex, you need to use a escape sequence prefix with a backslash ( \ ). E.g., \. matches "." ; regex \+ matches "+" ; and regex \( matches "(" . You also need to use regex \\ to match "\" (back-slash).

What does \+ mean in regex?

Example: The regex "aa\n" tries to match two consecutive "a"s at the end of a line, inclusive the newline character itself. Example: "a\+" matches "a+" and not a series of one or "a"s. ^ the caret is the anchor for the start of the string, or the negation symbol.

What are the 4 complexity rules for a password?

Password must meet at least 3 out of the following 4 complexity rules, [at least 1 uppercase character (A-Z) at least 1 lowercase character (a-z) at least 1 digit (0-9) at least 1 special character — do not forget to treat space as special characters too] at least 10 characters at most 128 characters

How can I make a process more secure with regular expression?

One of the fundamental points of computer security is the password. It may be useful to help administrators and group leaders by encouraging them to use a complex passwords. These steps below will help you create a process more secure with regular expression (or Regex ).

What is a regular expression in SpecOps password policy?

Regular expressions are programmatic strings used to check whether an input string meets specific criteria. In Specops Password Policy, the string we are checking is a requested new password or passphrase, and the policy filter will allow the new password/passphrase only if it matches the regular expression.

Do regular expressions have a password strength requirement?

Regular expressions are as complicated as they are powerful. Password strength requirements are a hot topic as of late due to a slew of compromised sites and services exposing millions of user accounts to hackers. To no one’s surprise, the most used passwords are embarrassingly weak. “password” anyone?


2 Answers

Don't use one regex to check it then.

if (password.length < 8)   alert("bad password"); var hasUpperCase = /[A-Z]/.test(password); var hasLowerCase = /[a-z]/.test(password); var hasNumbers = /\d/.test(password); var hasNonalphas = /\W/.test(password); if (hasUpperCase + hasLowerCase + hasNumbers + hasNonalphas < 3)   alert("bad password"); 

If you must use a single regex:

^(?:(?=.*[a-z])(?:(?=.*[A-Z])(?=.*[\d\W])|(?=.*\W)(?=.*\d))|(?=.*\W)(?=.*[A-Z])(?=.*\d)).{8,}$ 

This regex is not optimized for efficiency. It is constructed by A·B·C + A·B·D + A·C·D + B·C·D with some factorization. Breakdown:

^ (?:     (?=.*[a-z])       # 1. there is a lower-case letter ahead,     (?:               #    and         (?=.*[A-Z])   #     1.a.i) there is also an upper-case letter, and         (?=.*[\d\W])  #     1.a.ii) a number (\d) or symbol (\W),     |                 #    or         (?=.*\W)      #     1.b.i) there is a symbol, and         (?=.*\d)      #     1.b.ii) a number ahead     ) |                     # OR     (?=.*\W)          # 2.a) there is a symbol, and     (?=.*[A-Z])       # 2.b) an upper-case letter, and     (?=.*\d)          # 2.c) a number ahead. ) .{8,}                 # the password must be at least 8 characters long. $ 
like image 68
kennytm Avatar answered Oct 10 '22 18:10

kennytm


You could write a really sophisticated regex to do that. Instead, I’d suggest writing four distinct regexes, one for each rule, and testing them one by one, counting how many of them matched. If three out of four did, accept the password.

like image 34
scy Avatar answered Oct 10 '22 18:10

scy