Académique Documents
Professionnel Documents
Culture Documents
1 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Nilang Shah
Articles of .NET,MCMS, C#, SQL Server, HTML/DHTML/CSS and somethnig about me
Home
About Me
Disclaimer
25-Feb-12 11:32 AM
2 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
After the = sign comes \w*\d. Again, any alphanumeric character can happen zero or more times, then any
digit (\d means any digit from 0 to 9) can happen. So this checks to see if there is at least one number in the
string. But since the string isnt comsumed, that one digit can appear anywhere in the string.
The next atom (grouping) is (?=\w*[a-z]). This is similar to the digit grouping, except it looks for a lower case
letter. Again, the lower case letter can appear anywhere, but there has to be at least one.
The third atom is (?=\w*[A-Z]) which looks for an upper case letter somewhere in the string.
At the end is zero or more alphanumeric characters. To match this string, the minimum characters needed is 3
(one upper case letter, one lower case letter, and one number).
In this third example:
Must be at least 10 characters
Must contain at least one one lower case letter, one upper case letter, one digit and one special
character
Valid special characters are - @#$%^&+=
^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
As you can see in the regex, the list of special characters is configurable.
Reference:
Breaking Par Consulting
Anil Johns Blog
A DV E RT IS E M E N T
Rate this:
Like this:
26 Votes
This entry was posted on Tuesday, June 26th, 2007 at 8:08 am and is filed under .NET, General, HTML/DHTML/CSS. You can
follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
25-Feb-12 11:32 AM
3 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Post navigation
Previous Post Next Post
Literacy_Hooligan says:
November 9, 2007 at 7:44 am
Actually the third example lets through a HEX expression %00 (null), which in ASCII code means
end of file. Many viruses operate on %00 and many hackers also use it to bypass the password
system.
I havent found a way to change it but im working on it and i will post it here soon.
3
0
Reply
2.
Rate This
fokeerbux says:
February 24, 2008 at 1:38 am
hi im doing my project on security
if u can help in this one:
be between 8 and 12 characters long
contain at least three of the following:
one lower case letter (a, b, c etc)
one upper case letter (A, B, C etc)
one numeral (1,2,3 etc)
one of the following characters: ! # $ @
11
Reply
3.
Rate This
4.
Rate This
Sosys says:
May 11, 2008 at 7:22 am
how to get at least one letter and one number and must only letter(s) and numbers?
0
4
Reply
5.
Rate This
25-Feb-12 11:32 AM
4 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Very useful information. I was looking for something like this on the web and Im glad I found this post.
Thanks a lot.
0
1
Reply
6.
Rate This
Robert says:
May 13, 2008 at 4:19 pm
Not sure what the problem is. This regex does NOT allow spcial characters of & + =
could be a problem with the .Net framework
^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
are you aware?
3
0
Reply
7.
Rate This
Jared says:
September 3, 2008 at 12:06 pm
I used the third example in C# for password validation, and find that it allows the user to enter in spaces
as characters for the password. How can I edit the regular expression to not allow spaces?
Using this regex:
^.*(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$
5
3
Reply
8.
Rate This
9.
Rate This
Hardik says:
April 11, 2009 at 7:11 am
superb !
25-Feb-12 11:32 AM
5 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Thnks
3
0
Reply
10.
Rate This
11.
Rate This
12.
Rate This
Alps says:
July 29, 2009 at 4:44 am
easy to understand !
thnx
1
1
Reply
13.
Rate This
14.
Rate This
pam says:
August 6, 2009 at 3:59 pm
25-Feb-12 11:32 AM
6 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Rate This
Fozzy says:
September 29, 2009 at 5:01 pm
Im doing this on PHP 5 and it appears that the starting .* in expression three is redundant and can be
eliminated (at least, I did and it works fine).
^(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$
Analyzing this, you basically can pull the atoms out and you can see this
^.*$
Which reads accept any number of characters.
Putting the atoms back states that the string must meet the atom criteria. For example, if we just
wanted to limit the size we use the size atom.
^(?=.{10,32}).*$
Accept between 10 and 32 characters of any type.
If you wanted to make sure it also had at least 1 digit:
^(?=.{10,32})(?=.*\d).*$
Accept between 10 and 32 characters and must have any number of digits.
Now, we simply dont care how many digits they use. If you only wanted them to use a specific number
of digits, youd have to change the (.*) portion of the digit atom. As an example, lets limit it to
between 2 and 4 digits:
^(?=.{10,32})(?=\d{2,4}).*$
In this case, we can keep building up what your password Regex criteria is.
If you wanted to allow the user to pick 2 or 3 of the 4 criteria such as:
Your password must contain at least 3 of the following criteria: Upper-case, Lower-case, Number, and
special character
You need to use the or (|) and build up all the possible combination. Allowing any 3 of the 4 criteria
would create:
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=]).*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
25-Feb-12 11:32 AM
7 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
(Theres no limit to size, but clearly the password has to be at least 3 characters long since it has to
have at least 3 unique characters in the string)
Another issue you might see is that it allows ANY character (Nulls, Newlines, etc) in the string as long
as AT LEAST the criteria characters at met.
Meaning, you can have:
aB3{space}{newline}{etc..}
and it will still be accepted. To limit what characters you string can contain to be only the characters
listed in your criteria (alpha-numeric and the listed special characters) you have to edit the (.*) to be
the list of characters you want to accept such as ([a-zA-Z0-9@#$%^+=]*).
Taking the atoms out, you will have a base Regex like this:
^[a-zA-Z0-9@#$%^+=]*$
Simply add in the Atoms you want for criteria back in. Heres what I use:
Require 3 of 4 criteria of: upper-case, lower-case, number, or the following special characters
(@#$%^+=). No other characters are allowed.
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
Add/remove special characters or atoms as you need.
5
0
Reply
16.
Rate This
Rate This
25-Feb-12 11:32 AM
8 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Rate This
dan says:
November 26, 2009 at 8:43 am
I think a found a little flaw in the last regex. This regex allows to put !any! character at the end of the
string, regardless of what you defined as valid characters.
Test it against 0123456789aA+* and you will see.
I also think the leading .* can be dismissed since it present in all positive lookaheads. The last .* is the
source of the flaw since it allows any character to follow the valid characters.
1
2
Reply
Rate This
Leave a Reply
25-Feb-12 11:32 AM
9 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Post Comment
Top Posts
Password Validation via Regular Expression
The underlying connection was closed: Unable to connect to the remote server.
Successfully Stream a PDF to browser through HTTPS
Object Array to DataSet
Time Vaidation via Regular Expression
Recent Posts
Windows Communication Foundation 65 Links to make you an expert
Windows SharePoint Services 3.0 Tools: Visual Studio 2005 Extensions V 1.1
Collection of Sharepoint Videos and Screencasts
Collection of WCF (Indigo) links and material
.NET Framework 3.0 Introduction and Useful Resources
Pages
About Me
Disclaimer
Archives
March 2008 (3)
July 2007 (3)
June 2007 (8)
May 2007 (4)
March 2007 (1)
February 2007 (2)
Blogroll
Chirag Darji
Search
Theme: Contempt by Vault9.
Blog at WordPress.com.
25-Feb-12 11:32 AM
10 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
25-Feb-12 11:32 AM