ansaurus

Question

Answer 1

+4 A:

This is better suited to a validation function that checks your individual criteria one-by-one than an overly complicated regex.

If you're hellbent on using a regex, take a look at this almost identical question... but read the highest voted answer, not just the accepted one.

ceejayoz 2009-08-10 13:47:41

Answer 2

+2 A:

Regular expressions, while elegant if done right, are not fit for all purposes. I would suggest that this is one of the cases it is not suited for.

Don't get me wrong, you can do it with a single RE, but it's likely to be far more complex and hard to maintain than some simple procedural which checks the length and character classes.

paxdiablo 2009-08-10 13:48:16

Answer 3

+7 A:

Regular expressions aren't particularly good at ensuring that particular groups of characters appear a certain number of times. While it's probably possible - it would no doubt be convoluted and non-obvious.

If you're programming in .NET (C# or VB) you can use a simple validation function something like:

bool ValidatePasswordCompliance( string password )
{
    int countDigits = 0;
    int countAlpha  = 0;
    int countOthers = 0;
    foreach( char c in password )
    {
         countDigit += c.IsDigit ? 1 : 0;
         countAlpha += c.IsAlpha ? 1 : 0;
         countOther += !(c.IsAlpha || c.IsDigit) ? 1 : 0;
    }
    return countDigits >= 3 && (countDigits + countAlpha + countOthers) >= 7;
}

If you're working with .NET 3.5 or higher, you could use LINQ to simplify this:

bool ValidatePasswordCompliance( string password )
{
    return password.Count() >= 7 &&
           password.Count( x => x.IsDigit ) >= 3;
}

LBushkin 2009-08-10 13:50:14

Voting up since it gives sample code.

paxdiablo 2009-08-10 13:53:21

I would note, that a real world password validation function may want to check for any reserved characters that are not valid as password characters - particularly if it is intended to work in a multi-language environment like the web.

LBushkin 2009-08-10 13:55:44

Regex can be challenging and rewarding when you craft one that works well but not always the answer. Up vote for pragmatism.

JustSmith 2009-08-10 14:06:46

Answer 4

+1 A:

That said, there are some people out there who actually do it with regular expressions (although they too admit that it's complicated)

http://www.breakingpar.com/bkp/home.nsf/0/87256B280015193F87256C4F005D3717

Robert Harvey 2009-08-10 13:52:12

Answer 5

A:

You can check complexity with regex pretty easily, but its not an end all...

Good article on setting up the different complexities you are looking for:

http://www.zorched.net/2009/05/08/password-strength-validation-with-regular-expressions/

You also might want to run the password against a simple dictionary, to see if it can be bypassed by a dictionary attack.

BigBlondeViking 2009-08-10 13:56:35

ansaurus

tags:

views:

answers:

regular expression for password

related questions