Jump to content

password regex


Destramic

Recommended Posts

hey guys im trying to make a regual expresion for a password with the conditions that it must contain 2 of each character: upper case letter, lower case letter, number or symbol...i have the regular exprssion below individually but how do i put it into one expression please?

 

possible matches:

des$tramic

destram1c

Destramic

^
(?=.*[A-Z].*[!@#$&*])  // upper case  letter with symbol
(?=.*[A-Z].*[a-z]) // upper case letter with lower case letter
(?=.*[A-Z].*[0-9]) // upper case letter with number
(?=.*[!@#$&*].*[0-9]) // symbol with number
(?=.*[a-z].*[!@#$&*]) lower case character with symbol
(?=.*[a-z].*[0-9]) // lower case character with number
$

thank you

Link to comment
Share on other sites

1. It's already in one expression.

2. Those don't match with what you said you wanted to do.

 

Here are some reasonable passwords your current regex(es) won't allow me to use, driving me away from your site:

- de$traM1c

- de$TR4M!C

- de$7rAm!c

- d3sTr4M!c

- DE$tr4m1c

- DE$7ram!c

 

Not to mention that the three examples you gave don't even match...

Link to comment
Share on other sites

And why do you need a single regex? This massively reduces readibility and robustness (as you can see), so it shouldn't be done at all. Are you struggling with some crappy validator?

 

This kind of password policy is also extremely naive, annoying and counter-productive. Yes, we'd all love to have people come up with and memorize hundreds of super-long, cryptic passwords. But in reality, this isn't gonna happen:

  • The users who don't care about password security will hardly change their mind if you annoy them with error messages. They'll simply add some symbols to their weak password to make your validator happy, which isn't very helpful.
  • The users who do care about security often use a password manager or passphrases. That's when your policy actually gets in their way. For example, I always use 32 hexadecimal digits to represent 128 randomly generated bits. This is a perfect password, yet you won't let me use it. I'd have to manually choose a different one only to get past the stupid validation. That's obviously a problem.

So what's the whole point? I think the whole approach is just nonsense.

 

There are much smarter ways to promote strong passwords:

  • Tell your users about password managers like KeePass. This is really the only realistic solution for managing dozens of different user accounts.
  • Maybe add a password meter as an indicator for the user. This motivates them to choose a strong password instead of punishing them for what you think is a bad password. Since you cannot reliably estimate the strength of the password, it's also important that the check can be bypassed.
  • Like 1
Link to comment
Share on other sites

  • Tell your users about password managers like KeePass. This is really the only realistic solution for managing dozens of different user accounts.
  • Maybe add a password meter as an indicator for the user. This motivates them to choose a strong password instead of punishing them for what you think is a bad password. Since you cannot reliably estimate the strength of the password, it's also important that the check can be bypassed.

 

i agree with what your saying...although you see all major websites ask users to have certain criteria in thier passwords...but what i was trying to achieve is:

 

 

- de$traM1c

- de$TR4M!C

- de$7rAm!c

- d3sTr4M!c

- DE$tr4m1c

- DE$7ram!c

 

as all these password contain 2 of the wanted criteria (that was the regual expression i was looking for)...as long as the password is encrypted correctly it should secure, but...allowing a user to choose a simple password such as "mypassword" or something of that nature only reduces security.

Link to comment
Share on other sites

as all these password contain 2 of the wanted criteria

Correct. But I wasn't talking about that. I was only commenting on the regex you had and how it's not very good.

 

(that was the regual expression i was looking for)

But then you went on to show a regex that does not do what you said.

 

...as long as the password is encrypted correctly it should secure

*Hashed. But no, that's not necessarily the case.

 

but...allowing a user to choose a simple password such as "mypassword" or something of that nature only reduces security.

Right... Edited by requinix
Link to comment
Share on other sites

Destramic, we all agree that good passwords are very important. The question is how you get there.

 

Sure, a password policy is an obvious and simple approach, which is why it's so popular. But popular doesn't mean good.

 

Do you really believe you can force a user to choose a good password? Do you think a user who at first doesn't give a shit about security suddenly changes their mind and comes up with some really good password? I don't think so. They'll use something like “AAbb11!!” which is just enough to make your validator happy but obviously not secure. At the same time, you get in the way of people who do care about security but simply use a different password scheme (like myself).

 

Long story short, this is nonsense. It may sound good in theory, but it simply doesn't pass the reality check. If you actually care about password security, help your users with practical advice. Give them a link to a good password manager like KeePass, point them to the famous “correct horse battery staple” comic to explain the concept of passphrases. This is something which actually works in reality.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.