negative regex for password review

Question

I have already tried several options on this topic here on Stackoverflow, but none of them worked.

I have a database of passwords that I need to review for compliance.

I figured how to build an expression to match the passwords that are compliant with the required complexity:

8-32 characters letters numbers special characters

^(?=.*[a-z])(?=.*[A-Z])(?=.*[[:digit:]])(?=.*[[:punct:]]).{8,32}

Now, all I need to do is to get the negative of the above expression to find the password that do not match the required complexity.

I tried to change the expression to this:

(?!^(?=.{8,32}$)(?=.*[[:alpha:]])(?=.*[[:digit:]])(?=.*[[:punct:]])).*

but that does not work.

Thanks for your help

Why not negate your test method. What tool are you using to run regex? — anubhava, Apr 22 '21 at 14:12
Or use a negative lookahead per assertion `^(?!.{8,32}$)(?!.*[[:alpha:]])(?!.*[[:digit:]])(?!.*[[:punct:]]).*` — The fourth bird, Apr 22 '21 at 14:12
Thank you for your reply. I use https://regex101.com/ . Unfortunately the expression you suggested does not capture strings like "pass" as a password. — Bluz, Apr 22 '21 at 14:34

score 1 · Accepted Answer · answered Apr 22 '21 at 16:02

1

You can reverse your assertion using negative lookahead with alternations like this:

^(?:(?!.*[a-z])|(?!.*[A-Z])|(?!.*[[:digit:]])|(?!.*[[:punct:]])|(?!.{8,32}$)).*

RegEx Demo

RegEx Details:

^: Start
(?:: Start non-capture group
- (?!.*[a-z]): we don't have a lowercase letter ahead
- |: OR
- (?!.*[A-Z]): we don't have a uppercase letter ahead
- |: OR
- (?!.*[[:digit:]]): we don't have a digit ahead
- |: OR
- (?!.*[[:punct:]]): we don't have a punctuation character ahead
- |: OR
- (?!.{8,32}$): we don't have 8 to 32 characters ahead
):
.*

answered Apr 22 '21 at 16:02

anubhava

761,203
64
569
643

Fantastic! Thanks very much @anubhava, this one seems to work. However, interestingly enough, it matches passwords such as "KJ+&)1O{v^R+q}" as negative pattern? I wonder if it's because arithmetic symbols do not count as :punct: ? - I'll give that a try and post back here. – Bluz Apr 23 '21 at 12:24
ok I have just discovered fire hre but obviously, characters such as percentage,plus,minus,british pound sign, dollar, etc... do not seem to have a class of their own... So, the expression I was looking for, with anubhava's help, was : /^(?:(?!.*[a-z])|(?!.*[A-Z])|(?!.*[[:digit:]])|(?!.*[[:punct:]])|(?!.{8,32}$)|(?!.*[\`\-\=\[\]\;\'\#\,\.\/\\\¬\!\"\£\$\%\^\&\*\_\+\{\}\:\@\~\<\>\?\|])).* – Bluz Apr 23 '21 at 12:47
`KJ+&)1O{v^R+q}` is a valid password that's why it is not matched by above regex. Do you want to treat it as an invalid case? – anubhava Apr 23 '21 at 13:43
Also please understand that `% + - $ # !` etc are all matched as punctuation symbols only. – anubhava Apr 23 '21 at 13:51

score 0 · Answer 2 · answered Apr 23 '21 at 12:49

This regex will highlight bad passwords that are shorter than 8 characters, don't have special characters, upper/lower case letters and numbers:

/^(?:(?!.*[a-z])|(?!.*[A-Z])|(?!.*[[:digit:]])|(?!.*[[:punct:]])|(?!.{8,32}$)|(?!.*[\`\-\=\[\]\;\'\#\,\.\/\\\¬\!\"\£\$\%\^\&\*\(\)\_\+\{\}\:\@\~\<\>\?\|])).*

negative regex for password review

2 Answers2