tags:

views:

199

answers:

6
Q: 

ASP.net PasswordStrengthRegularExpression to prevent common passwords like "11111" or "123456"

A customer asked me to prevent users from typing common passwords, but permit them to use only alphanumeric passwords.

Do you know a regular expression to use in the built in PasswordStrengthRegularExpression option?

Edit: I know is pretty vague, and that what I told the client. The definition is something like

  • Do not allow the same character more that 3 consecutive times.(1111, 2222, etc)
  • Do not allow ascending or descending trends (12345, abcde, 6543, etc.)
+1  A: 

How about this one?

passwordStrengthRegularExpression=" @\"(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})"

Validates the password meets the following criteria:

  • Is greater than seven characters.
  • Contains at least one digit.
  • Contains at least one special (non-alphanumeric) character.

http://msdn.microsoft.com/en-us/library/system.web.security.membership.passwordstrengthregularexpression.aspx

Robert Harvey  2010-06-07 20:43:01
The `{1,}` are redundant (and might even slow things down): you only care that it matches once, not that it consumes as many copies of the match as possible. Also, your quotes are messed up; your string starts with `" @\"`, when I think you mean for it to start with `@"`.
Antal S-Z  2010-06-07 20:46:51
@Antal: The code above is not C#, it is an XML attribute.
Robert Harvey  2010-06-07 20:49:09
Guh, disregard that—I've never even *used* C#, I just answered a regex question on it and had it on the brain. Wow. My bad.
Antal S-Z  2010-06-07 20:52:45
But the point about the `{1,}` is still valid. I know that's how it appears in the docs, but it's wrong. Whoever wrote those docs had very weak regex-fu.
Alan Moore  2010-06-07 21:37:43
Not what I asked for. Sorry.
Eduardo Molteni  2010-06-07 21:59:25
A: 

try this:

passwordStrengthRegularExpression="^\S*([a-zA-Z0-9]{1,10})$"
Ratan  2010-06-07 20:43:02
A: 

This may be of some help:

http://info4tech.wordpress.com/2007/08/07/regular-expressions-for-strong-password-in-aspnet/

David  2010-06-07 20:44:15
Not what I asked for. Sorry.
Eduardo Molteni  2010-06-07 22:01:34
A: 

You can assert a minimum level of complexity; e. g. "at least one uppercase, one lowercase letter, one digit, minimum length 6 characters, only alphanumeric characters" could be written as

 ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])[A-Za-z0-9]{6,}$
Tim Pietzcker  2010-06-07 20:45:06
Not what I asked for. Sorry.
Eduardo Molteni  2010-06-07 22:00:00
+1  A: 

I'm not sure if a regular expression can handle the requirement, but a function just may be more readable anyway. Something like the below will eliminate anything with three consecutive equal characters or three consecutive characters that are follow an ascending or descending pattern of 1 (letters or numbers).

static bool IsPasswordRelativelyStrong(string input)
{
    for (int i = 2; i < input.Length; i++)
    {
        if (input[i] == input[i - 1] - 1 && input[i - 1] == input[i - 2] - 1)
            return false;
        else if (input[i] == input[i - 1] + 1 && input[i - 1] == input[i - 2] + 1)
            return false;
        else if (input[i] == input[i - 1] && input[i - 1] == input[i - 2])
            return false;
    }

    return true;
}

So given the following array 

string[] passwords = { "123456", "abcde", "654321", "111223", "11223344" };

Only the final one passes. The function could be expanded to consider whether or not you allow and/or require non-alphanumeric characters and whether a password must exceed a minimum length requirement.

Anthony Pegram  2010-06-07 22:28:59
That's what I have in mind. Just didn't want to reinvent the wheel. Thanks
Eduardo Molteni  2010-06-08 00:54:32
+1  A: 

That's asking way too much from a regex. You could cover the repeated characters thing easily enough:

^(?:(.)(?!\1\1)){6,}$

But the only way to disallow runs of sequential characters would be to enumerate all the possibilities:

^(?:(?!123|234|345|456|567|678|789).)*$

...ad infinitum. I think the best you can do is require a complex mix of character types--for example, at least two each of uppercase letters, lowercase letters and digits:

^(?=(?:[^0-9]*[0-9]){2})
 (?=(?:[^A-Z]*[A-Z]){2})
 (?=(?:[^a-z]*[a-z]){2})
 (?:([A-Za-z0-9])(?!\1\1)){6,}$

That will force the users to be a little creative.

Alan Moore  2010-06-08 00:30:59
Thanks for your answer.
Eduardo Molteni  2010-06-08 11:01:51

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps