RegEx for Password Complexity Validation

I often hear on-premises infrastructure described as 'legacy'. When you consider the innovation, rate of change, advantages and proliferation of cloud technologies, then I guess it's inevitable on-prem be thought of as the distant past. The problem I have with such branding is that on-prem isn't going anywhere, anytime soon, and ignoring its continued significance is a dangerous game: the next few years will be dominated by hybrid infrastructure - a mixture of 'legacy' on-prem and 'sky-breaking' in-cloud. Let's embrace and celebrate both.

What's that brain burp got to do with this post? There's a tenuous link: last week I attended some excellent, internal training on B2C. It's REALLY cool stuff - Identity as a Service. Anyway, within the policies one has to create for this cloud technology, I found all sorts of examples of lovely, spiky RegEx. Tenuous, huh?

I'm going to share a couple of the more choice examples in this post and the next.

Want some RegEx to enforce passwords of 8-16 characters, ensuring they contain three out of four of the following conditions?

• Lowercase characters
• uppercase characters
• digits (0-9)
• and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .£

 

No problem… check out this bad-boy…

  ^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:',?/`~"();!]|\.(?!@)){8,16}$ 

 

What's going on?

(?=.*[a-z])(?=.*[A-Z])(?=.*\d)   …matches lower case, upper case or digit
(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])   …matches lower case, upper case or special character (i.e. non-alpha or digit)
(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches lower case, digit, or special character
(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches upper case, digit, or special character

 

The password must also match the following restrictions:

[A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:',?/`~"();!]   …the list of all acceptable characters (without .)
\.(?!@)   …or . can appear as long as not followed by @
{8,16}   …the length must be between 8 and 16 chars inclusive

 

Awesome.

Now let's test with PowerShell.

Capture178

Comments

  • Anonymous
    October 30, 2016
    Regex manages to be so good, but look so bad at the same time. I think to be honest it's better to just craft password complexity regex stuff using live Javascript enabled debugging websites to gradually test it as you go along - it tends to be far easier than deciphering pre-written regex because the syntax is always really off-putting. :P
  • Anonymous
    July 20, 2017
    The comment has been removed
    • Anonymous
      September 26, 2017
      Hi Uzma,Check your script. Have you got JUST the search string on the second of the three lines defining $RegEx?$RegEx = @"^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:',?/`~"();!]|.(?!@)){8,16}$"@