Password Validation Via Regular Expression Nilang Shah

Password Validation via Regular Expression Nilang Shah
1 of 10
http://nilangshah.wordpress.com/2007/06/26/password-validation-via-re...
Nilang Shah
Articles of .NET,MCMS, C#, SQL Server, HTML/DHTML/CSS and somethnig about me
Home
About Me
Disclaimer
Password Validation via Regular Expression

I have recently been working on Password validation via regular expression, after so many researches I came
across very good quality articles so I recapitulate over here.
When it comes to password validation using regular expressions, things can get a bit complicated. Normally,
you want people to enter a good password that has a mix of numbers and letters. But you may not care
where the numbers and letters appear. So youre not looking for a pattern in the string. You just want a
letter somewhere and a number somewhere.
In this first example, the password must be at least 8 characters long and start and end with a letter.
^[A-Za-z]\w{6,}[A-Za-z]$
The ^ looks for something at the start of the string. The brackets indicate the valid character set. So it must
start with an upper or lower case letter. After that, the \w means there can be valid alphanumeric characters
(numbers 0-9, upper/lower case letters a-z, the underscore) and says there must be at least 6 (but no upper
limit). Then comes another set and the $ looks for something at the end of the string. So this statement says
there must be a letter, then at least 6 of any alphanumeric characters, then a letter (making 8 the minimum
number of characters).
In this second example, the password length doesnt matter, but the password must contain at least 1 number,
at least 1 lower case letter, and at least 1 upper case letter.
^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$
Again, the ^ and $ are looking for things at the start and end. The \w* combination is used at both the start
and the end. \w means any alphanumeric character, and * means zero or more. Youll see why its zero or
more in a bit. Between are groupings in parentheses. The (? combination is a flag in regular expressions.
Basically, they say apply the following formula, but dont consume any of the string. In this example,
instead of specifying the order that things should appear, its saying that it must appear but were not worried
about the order.
The first grouping (called an atom in regular expresion speak) uses the = sign. This means that there must
be a match. Other choices are ! for a negative match (the string must not look like this). There are others
(more complicated) for preceeding matches and stuff. We can refer you to a regular expression syntax web
site for further details.
25-Feb-12 11:32 AM
2 of 10
After the = sign comes \w*\d. Again, any alphanumeric character can happen zero or more times, then any
digit (\d means any digit from 0 to 9) can happen. So this checks to see if there is at least one number in the
string. But since the string isnt comsumed, that one digit can appear anywhere in the string.
The next atom (grouping) is (?=\w*[a-z]). This is similar to the digit grouping, except it looks for a lower case
letter. Again, the lower case letter can appear anywhere, but there has to be at least one.
The third atom is (?=\w*[A-Z]) which looks for an upper case letter somewhere in the string.
At the end is zero or more alphanumeric characters. To match this string, the minimum characters needed is 3
(one upper case letter, one lower case letter, and one number).
In this third example:
Must be at least 10 characters
Must contain at least one one lower case letter, one upper case letter, one digit and one special
character
Valid special characters are - @#$%^&+=
^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
As you can see in the regex, the list of special characters is configurable.
Reference:
Breaking Par Consulting
Anil Johns Blog
A DV E RT IS E M E N T
Rate this:
Like this:
26 Votes
5 bloggers like this post.
This entry was posted on Tuesday, June 26th, 2007 at 8:08 am and is filed under .NET, General, HTML/DHTML/CSS. You can
follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
25-Feb-12 11:32 AM
3 of 10
Post navigation
Previous Post Next Post
18 Responses to Password Validation via Regular Expression

1.
Literacy_Hooligan says:
November 9, 2007 at 7:44 am
Actually the third example lets through a HEX expression %00 (null), which in ASCII code means
end of file. Many viruses operate on %00 and many hackers also use it to bypass the password
system.
I havent found a way to change it but im working on it and i will post it here soon.
3
0
Reply
2.
Rate This
fokeerbux says:
February 24, 2008 at 1:38 am
hi im doing my project on security
if u can help in this one:
be between 8 and 12 characters long
contain at least three of the following:
one lower case letter (a, b, c etc)
one upper case letter (A, B, C etc)
one numeral (1,2,3 etc)
one of the following characters: ! # $ @
11
Reply
3.
Rate This
David Rogers says:

March 5, 2008 at 6:18 am
Very nice discussion of regular expression operators used for password validation!
2
2
Reply
4.
Rate This
Sosys says:
May 11, 2008 at 7:22 am
how to get at least one letter and one number and must only letter(s) and numbers?
0
4
Reply
5.
Rate This
John Smith says:

May 13, 2008 at 1:50 am
25-Feb-12 11:32 AM
4 of 10
Very useful information. I was looking for something like this on the web and Im glad I found this post.
Thanks a lot.
0
1
Reply
6.
Rate This
Robert says:
May 13, 2008 at 4:19 pm
Not sure what the problem is. This regex does NOT allow spcial characters of & + =
could be a problem with the .Net framework
^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
are you aware?
3
0
Reply
7.
Rate This
Jared says:
September 3, 2008 at 12:06 pm
I used the third example in C# for password validation, and find that it allows the user to enter in spaces
as characters for the password. How can I edit the regular expression to not allow spaces?
Using this regex:
^.*(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$
5
3
Reply
8.
Rate This
Vivek Shastri says:

Password Requirement :
Password should be at least eight (8) characters in length where the system can support it.
Passwords must include characters from at least two (2) of these groupings: alpha, numeric, and special
characters.
^.*(?=.{8,})(?=.*\d)(?=.*[a-zA-Z])|(?=.{8,})(?=.*\d)(?=.*[!@#$%^&])|(?=.{8,})(?=.*[a-zA-Z])
(?=.*[!@#$%^&]).*$
I tested it and it works with Struts validation fine.
8
1
Reply
9.
Rate This
Hardik says:
April 11, 2009 at 7:11 am
superb !
25-Feb-12 11:32 AM
5 of 10
Thnks
3
0
Reply
10.
Rate This
How to Get Six Pack Fast says:

April 15, 2009 at 3:39 pm
This topic is quite hot in the net at the moment. What do you pay attention to when choosing what to
write about?
0
5
Reply
11.
Rate This
Ion Drimba says:

July 11, 2009 at 9:41 pm
Hi Nilang,
My name is Ion Drimba and Im a flash developer from Brazil.
I m wondering if its possible to built a regular expression for this scenario:
min 1 number max 8 and
min 1 alphanumeric max 2.
The order doesnt matter.
It is possible or am I trying to do something that regular expression doesnt support?
Thanks Ion Drimba
2
2
Reply
12.
Rate This
Alps says:
July 29, 2009 at 4:44 am
easy to understand !
thnx
1
1
Reply
13.
Rate This
mohammed rehan rizvi says:

July 30, 2009 at 5:35 am
Pretty useful. Nice and easy
0
1
Reply
14.
Rate This
pam says:
August 6, 2009 at 3:59 pm
25-Feb-12 11:32 AM
6 of 10
Very useful ! Thanks

0
1
Reply
15.
Rate This
Fozzy says:
Im doing this on PHP 5 and it appears that the starting .* in expression three is redundant and can be
eliminated (at least, I did and it works fine).
^(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$
Analyzing this, you basically can pull the atoms out and you can see this
^.*$
Which reads accept any number of characters.
Putting the atoms back states that the string must meet the atom criteria. For example, if we just
wanted to limit the size we use the size atom.
^(?=.{10,32}).*$
Accept between 10 and 32 characters of any type.
If you wanted to make sure it also had at least 1 digit:
^(?=.{10,32})(?=.*\d).*$
Accept between 10 and 32 characters and must have any number of digits.
Now, we simply dont care how many digits they use. If you only wanted them to use a specific number
of digits, youd have to change the (.*) portion of the digit atom. As an example, lets limit it to
between 2 and 4 digits:
^(?=.{10,32})(?=\d{2,4}).*$
In this case, we can keep building up what your password Regex criteria is.
If you wanted to allow the user to pick 2 or 3 of the 4 criteria such as:
Your password must contain at least 3 of the following criteria: Upper-case, Lower-case, Number, and
special character
You need to use the or (|) and build up all the possible combination. Allowing any 3 of the 4 criteria
would create:
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=]).*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
25-Feb-12 11:32 AM
7 of 10
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
(Theres no limit to size, but clearly the password has to be at least 3 characters long since it has to
have at least 3 unique characters in the string)
Another issue you might see is that it allows ANY character (Nulls, Newlines, etc) in the string as long
as AT LEAST the criteria characters at met.
Meaning, you can have:
aB3{space}{newline}{etc..}
and it will still be accepted. To limit what characters you string can contain to be only the characters
listed in your criteria (alpha-numeric and the listed special characters) you have to edit the (.*) to be
the list of characters you want to accept such as ([a-zA-Z0-9@#$%^+=]*).
Taking the atoms out, you will have a base Regex like this:
^[a-zA-Z0-9@#$%^+=]*$
Simply add in the Atoms you want for criteria back in. Heres what I use:
Require 3 of 4 criteria of: upper-case, lower-case, number, or the following special characters
(@#$%^+=). No other characters are allowed.
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
Add/remove special characters or atoms as you need.
5
0
Reply
16.
Rate This
Shallu tagra says:

October 7, 2009 at 5:45 am
All expressions work well with Java reqular expression library and however these do not seem to be
working with Apache library . Trying to use the below and gives me an error Syntax error: Missing
operand to closure
Expression used:
^.*(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&]).*$
1
0
Reply
Rate This
Shallu tagra says:
25-Feb-12 11:32 AM
8 of 10
October 7, 2009 at 6:13 am

All expressions work well with Java reqular expression library and however these do not seem to
be working with Apache library . Trying to use the below and gives me an error Syntax error:
Missing operand to closure
Expression used:
^.*(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&]).*$
Having looked at it again seems like Apache doesnt accept characters like ? , not sure what
could be the replacement for the same and if there is none then the expression would be difficult
to be written and understood by anyone at later stage as to check for 4 conditions in expression
upper alpha , lower alpha , numeric and special characters string of expression will become too
lengthy.
1
0
Reply
17.
Rate This
dan says:
November 26, 2009 at 8:43 am
I think a found a little flaw in the last regex. This regex allows to put !any! character at the end of the
string, regardless of what you defined as valid characters.
Test it against 0123456789aA+* and you will see.
I also think the leading .* can be dismissed since it present in all positive lookaheads. The last .* is the
source of the flaw since it allows any character to follow the valid characters.
1
2
Reply
Rate This
Leave a Reply
25-Feb-12 11:32 AM
9 of 10
Notify me of follow-up comments via email.
Post Comment
Top Posts
Password Validation via Regular Expression
The underlying connection was closed: Unable to connect to the remote server.
Successfully Stream a PDF to browser through HTTPS
Object Array to DataSet
Time Vaidation via Regular Expression
Recent Posts
Windows Communication Foundation 65 Links to make you an expert
Windows SharePoint Services 3.0 Tools: Visual Studio 2005 Extensions V 1.1
Collection of Sharepoint Videos and Screencasts
Collection of WCF (Indigo) links and material
.NET Framework 3.0 Introduction and Useful Resources
Pages
About Me
Disclaimer
Archives
March 2008 (3)
July 2007 (3)
June 2007 (8)
May 2007 (4)
March 2007 (1)
February 2007 (2)
Blogroll
Chirag Darji
Search
Theme: Contempt by Vault9.
Blog at WordPress.com.
25-Feb-12 11:32 AM
10 of 10
25-Feb-12 11:32 AM

Password Validation Via Regular Expression Nilang Shah

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Password Validation Via Regular Expression Nilang Shah

Transféré par

Droits d'auteur :

Formats disponibles

Password Validation via Regular Expression Nilang Shah