1

I am having a bit of a hard time with a password requirement regular expression for an ASP.NET project

Out requirements are the following

  • Must be at least 8 characters
  • Must have at least 3 of the 4 following:
    • Have at least 1 UPPERCASE letter
    • Have at least 1 lowercase letter
    • Have at least 1 special character
    • Have at least 1 number

The regular expression I am using is as follows (this is escaped and encoded for use in the web.config xml file:

passwordStrengthRegularExpression="^.*(?=.{8,})(?=.*[a-zA-Z])(?=.*\d)(?=.*[!@#$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\']).*$"

I cant figure out how to allow for one of the requirements to be optional.

the password Reaction7 should be sufficient, but it is rejected because it doesn't have a special character.

Anyone know what I can do to evaluate the 3 out of 4 requirements other than length?

lc.
  • 113,939
  • 20
  • 158
  • 187
CodeWarrior
  • 7,388
  • 7
  • 51
  • 78
  • I'm no expert on regex, but the only way I can think of is to have separate pieces of the regex for each permutation of requirements. This would get unwieldy pretty quickly, you might want to consider only using regex for parts of it. The issue here is that in regex you can't take its decision from a previous part of the expression into consideration in a later part, so you can't have it remember which requirements have or haven't been met. – boztalay Oct 17 '12 at 16:33
  • Yes, it can be done with a single regex. See my answer to a very similar question: [RegEx for Password Validation (ASP)](http://stackoverflow.com/a/7828925/433790) – ridgerunner Oct 17 '12 at 17:01
  • I am afraid that is just too unwieldy for me. I am using the regex in the answer by lc. for the time being, and we are just revising our password requirements so that no x out of y evaluation has to be made. – CodeWarrior Oct 17 '12 at 18:03

1 Answers1

1

Not sure I like this solution, but if you're limited to using only a single regex (which looks like the case), you could enumerate all possibilities with a pipe-or group:

passwordStrengthRegularExpression="^.*(?=.{8,})((?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*\d)(?=.*[!@#$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()\?\+\,\-\.\/\:\:\;\<\=\>\[\]\\_\`\{\|\}\~\"\'])|(?=.*[a-z])(?=.*[A-Z])(?=.*\d)).*$"

It is rather long but does get the job done. Adding a fifth requirement will make this string explode in size though, so it's not exactly "extendable".

lc.
  • 113,939
  • 20
  • 158
  • 187
  • "this is escaped and encoded for use in the web.config xml file" so I'm afraid he _has_ to use a single regex :-( – John Dvorak Oct 17 '12 at 16:39
  • Alright. I might implement that for now, but I think I will try to talk the Ops team into making the password requirements a little tighter. If I can get them to do that, then my original regex should work. – CodeWarrior Oct 17 '12 at 16:53
  • @CodeWarrior That sounds like a good idea to me. It would make for stronger passwords too :) – lc. Oct 17 '12 at 16:55