RegEx for Password Validation (ASP)

Question

Can someone suggest a regular expression for validating a password with the following conditions.

Password must be at least 12 characters long
Password must not begin with a number
- Password must have 3 out of the following 4 characteristics:
- At least one upper case letter (A-Z)
- At least one lower case letter (a-z)
- At least one number (0-9)
- At least one of the following symbols: hyphen ( - ), underscore ( _ ), dollar ( $ ), pound/hash ( # )

I'm using vbscript and classic ASP.

Thanks in advance, m0dest0

To account for the 3/4 characteristics you need a ridiculously long regex to validate all possible combinations.. — FailedDev, Oct 19 '11 at 20:38
I wouldn't say "ridiculous", but unnecessary, to be sure - that is the hardest part about it and the part that regexes are bad at expressing, but procedural programming is great at - you wouldn't hand a person who has only been sweeping floors all his life a job teaching nuclear physics, right? This is all without mentioning that something like that would only tell you YES or NO - not WHICH rule was not satisfied - something else procedural programming is great for... — Code Jockey, Oct 19 '11 at 20:54

ridgerunner · Answer 1 · 2011-10-20T15:34:13.880

Although a bit unwieldy, this can be accomplished in a single regex like so:

Dim myRegExp
Set myRegExp = New RegExp
myRegExp.Pattern = "^(?=.{12})(?![0-9])(?:(?=[^a-z]*[a-z])(?=[^0-9]*[0-9])(?=[^\-_$#]*[\-_$#])|(?=[^A-Z]*[A-Z])(?=[^0-9]*[0-9])(?=[^\-_$#]*[\-_$#])|(?=[^A-Z]*[A-Z])(?=[^a-z]*[a-z])(?=[^\-_$#]*[\-_$#])|(?=[^A-Z]*[A-Z])(?=[^a-z]*[a-z])(?=[^0-9]*[0-9]))[A-Za-z0-9-_$#]+$"
If myRegExp.Test(SubjectString) Then
    ' Successful match
Else
    ' Match attempt failed
End If

Here is a commented version of the regex: (in PHP free-spacing mode syntax - which can be read by mere mortals):

$re_password = '/
    # Match password having multiple, specific requirements.
    ^                       # Anchor to start of string.
    (?=.{12})               # Password must be at least 12 characters long.
    (?![0-9])               # Password must not begin with a number.
    (?:                     # Password must have 3 out of 4 characteristics:
       # Either... Case 1: (All but R1).
      (?=[^a-z]*[a-z])      # R2: At least one lower case letter (a-z).
      (?=[^0-9]*[0-9])      # R3: At least one number (0-9).
      (?=[^-_$\#]*[-_$\#])  # R4: At least one of: [-_$#].
    |  # Or... Case 2: (All but R2).
      (?=[^A-Z]*[A-Z])      # R1: At least one upper case letter (A-Z).
      (?=[^0-9]*[0-9])      # R3: At least one number (0-9).
      (?=[^-_$\#]*[-_$\#])  # R4: At least one of: [-_$#].
    |  # Or... Case 3: (All but R3).
      (?=[^A-Z]*[A-Z])      # R1: At least one upper case letter (A-Z).
      (?=[^a-z]*[a-z])      # R2: At least one lower case letter (a-z).
      (?=[^-_$\#]*[-_$\#])  # R4: At least one of: [-_$#].
    |  # Or... Case 4: (All but R4).
      (?=[^A-Z]*[A-Z])      # R1: At least one upper case letter (A-Z).
      (?=[^a-z]*[a-z])      # R2: At least one lower case letter (a-z).
      (?=[^0-9]*[0-9])      # R3: At least one number (0-9).
    )                       # End group of 3-out-of-4 alternatives.
    [A-Za-z0-9-_$\#]+       # Match the password string.
    $                       # Anchor to end of string.
    /x';

This assumes that a password may not contain characters other than: [A-Z], [a-z], [0-9] and [-_$#]. It is also assumed that a password may contain characters from all 4 types.

The: "3 out of 4 requirements" is solved here by brute force (by explicitly specifying all possible case combinations as a group of alternatives - and repeating the common expressions for each case). This works here because there are only 4 possible cases to be tested, but this method grows very unwieldy if there are more requirements (e.g. "must meet 5 out of 20 requirements..."). As others have stated, there are definite advantages to breaking this up into multiple parts, e.g. you can have a custom error message with each failure mode.

But this can be accomplished with a single regex!

Edit 2011-10-20: Improved efficiency of the 4 requirements lookahead expressions by replacing the lazy-dot-stars with more precise greedy expressions.

Yes by a ridiculously long one :) Thanks for writing it down. I did not have the patience :D. Hell I 'll even +1 you for the effort :) — FailedDev, Oct 19 '11 at 22:25

Code Jockey · Answer 2 · 2011-10-19T20:56:09.163

3

It really doesn't make much sense to try and do this with a single expression, as awesome as that sounds...

I would do it with multiple expressions, because they will run faster, look cleaner, be more maintainable, and the results can be used to provide feedback as to WHY the password doesn't match (should you want to be that nice)

These expressions will validate as indicated:

.{12,}            # Password must be at least 12 characters long
^(?!\d)           # Password must not begin with a number
(.*[A-Z].*)+      # At least one upper case letter (A-Z)
(.*[a-z].*)+      # At least one lower case letter (a-z)
(.*[0-9].*)+      # At least one number (0-9)
(.*[-_$#].*)+     # At least one of the following symbols: hyphen ( - ), underscore ( _ ), dollar ( $ ), pound/hash ( # )

Evaluate each one to a boolean, then provide feedback if enough of them are not satisfied

That being said, this is a very restrictive password policy - just the not starting with a number makes it considerably easier to guess.

I think it COULD be put into one regex, but idunno - I might get around to it

edited Oct 19 '11 at 20:56

answered Oct 19 '11 at 20:48

Code Jockey

6,611
6
33
45

Just stating the obvious, but you don't need a regex to test string length, `Len` should do just fine. – JBert Oct 19 '11 at 21:03
Great, I will give them a try. Thanks – m0dest0 Oct 19 '11 at 21:16
@JBert indeed not - one of the reasons the regex is so incredibly simple. If all the conditions were equal (I.E. it had to satisfy 5 of the 6 conditions, I argue that it would make _more_ sense to use regex to test the length (put all regexes in an array of strings and run through test loop) but since you'll have to make a special case, it doesn't make much more sense then `Len` does - and would be a little cleaner/clearer to someone reviewing the code – Code Jockey Oct 19 '11 at 21:19
1

Your expression: `(.*[A-Z].*)+` is a recipe for disaster (See: [Catastrphic Backtracking](http://www.regular-expressions.info/catastrophic.html). To guarantee one or more of something, the expression only needs to find _one_, i.e. `(?=.*[A-Z])` – ridgerunner Oct 19 '11 at 22:32

score 2 · Accepted Answer · answered Oct 19 '11 at 20:44

When all you have is a hammer eh?

Seriously though, using a regex is not really the correct answer here. If you're dead set on using regexes, then at least break it up into multiple cases and evaluate each individually.

If it were me, I'd just write a set of simple functions that check each case. Eg: one for upper/lower case, one for number, one for special symbols, then a main routine that checks that all your requirements are met. As FailedDev mentioned above, a single regex to handle all these cases would be a pain to both write AND maintain..

Thanks for the comment, as I don't have experience with regex I could not appreciate if that could be ridiculous or even doable. — m0dest0, Oct 19 '11 at 21:16

RegEx for Password Validation (ASP)

3 Answers3

Linked