Password strong - not require each condition

Question

Hi
It's my first post, so hello everybody. I have problem with regex expression. I have password validation by regex.This is my expression:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$  

It works - the password must contain at least 1 digit, at least 1 lower case letter, at least 1 upper case letter and at least special character: @#$%^&+=. So I have to input all this characters.

But I'd like password, which has at least 3 combination, not all 4.
So these passwords should be good:

2Df (not special character), dF# (not digit), a4% (not upper case). I'd like to ask, how this regex expression should look? I could write each expression to check each combination, for example:

• Not include digit: ^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
• Not include upper case: ^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=]).*$

But maybe I can do it in one expression. Thanks for help.

Regards

Answer 1

Why did you use regular expression for that? Simply iterate over your password string and count number of desired character types. In PHP you can use function like count_chars().

Pseudo code for that:

      foreach(password as char) {
        if (is_digit(char))
           digits++;
        if (is_specialchar(char))
           special++;
        if (is_lower(char))
           lower++;
        if (is_upper(char))
           upper++;
        //etc
      }

Now you can define any requirements you wish

      if (dgits > 0) and (lower > 0) and (special > 0)
         passowrd_ok()
      else
         password_bad()

in your case you can smartly count

     if (lower > 0)
        diversity++;
     if (upper > 0)
        diversity++;
     if (special > 0)
        diversity++;
     if (digit > 0)
        diversity++;

     if (diversity >= 3)   //at least 3 different types of characters in password
        pass_ok()

Answer 2

If you have to do it with regular expressions, I'd suggest (for clarity's sake) to check all four conditions after one another. For readability, you could first try to find \d in your password, then [a-z], then [A-Z] and then [@#$%^&+=] (although you might want to use [\W_] instead to allow more than just those few extra characters). Then check if at least three of these worked.

If you have to do it in a single regex, you could use alternation:

^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[\W_])|(?=.*[\W_])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[\W_])(?=.*\d)).*$

but that is just ugly.