Regex for default AD policy?

Discussion in 'ASP .Net Security' started by Michael D'Angelo, Jul 24, 2006.

  1. I'm not too familiar with writing regexes. Does anyone have a regex handy
    that mirrors the default complexity requirements for AD. I know there are a
    few additional reasons a password change could fail, but I'm hoping to at
    least save the trouble of trying to change the password for some of the
    time. (This is for an ASP.NET site using a modified AD MembershipProvider).

    The requirements MS describes are:
    The password contains characters from at least three of the following five
    categories:
    . English uppercase characters (A - Z)

    . English lowercase characters (a - z)

    . Base 10 digits (0 - 9)

    . Non-alphanumeric (For example: !, $, #, or %)

    . Unicode characters



    I could probably write a regex to require any particular one, but I don't
    know how to do the "at least three of the following five categories"
    Michael D'Angelo, Jul 24, 2006
    #1
    1. Advertising

  2. Well I came up with the following which seems to do it (minus unicode
    characters.) I'm not too happy with it given I had to account for all 24
    different possible 3-way combination of the 4 categories.

    ..*(([a-z]+)([A-Z]+)([0-9]+)|([a-z]+)([0-9]+)([A-Z]+)|([a-z]+)([A-Z]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([A-Z]+)|([a-z]+)([0-9]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([0-9]+)|([A-Z]+)([a-z]+)([0-9]+)|([A-Z]+)([0-9]+)([a-z]+)|([A-Z]+)([a-z]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([a-z]+)|([A-Z]+)([0-9]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([0-9]+)|([0-9]+)([A-Z]+)([a-z]+)|([0-9]+)([a-z]+)([A-Z]+)|([0-9]+)([A-Z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([A-Z]+)|([0-9]+)([a-z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([a-z]+)|([^A-Za-z0-9]+)([A-Z]+)([0-9]+)|([^A-Za-z0-9]+)([0-9]+)([A-Z]+)|([^A-Za-z0-9]+)([a-z]+)([A-Z]+)|([^A-Za-z0-9]+)([A-Z]+)([a-z]+)|([^A-Za-z0-9]+)([0-9]+)([a-z]+)|([^A-Za-z0-9]+)([a-z]+)([0-9]+)).*

    Only thing missing is requiring a minimum length, but I don't see how one
    could do that after matching.

    "Michael D'Angelo" <> wrote in message
    news:...
    > I'm not too familiar with writing regexes. Does anyone have a regex handy
    > that mirrors the default complexity requirements for AD. I know there are
    > a few additional reasons a password change could fail, but I'm hoping to
    > at least save the trouble of trying to change the password for some of the
    > time. (This is for an ASP.NET site using a modified AD
    > MembershipProvider).
    >
    > The requirements MS describes are:
    > The password contains characters from at least three of the following five
    > categories:
    > . English uppercase characters (A - Z)
    >
    > . English lowercase characters (a - z)
    >
    > . Base 10 digits (0 - 9)
    >
    > . Non-alphanumeric (For example: !, $, #, or %)
    >
    > . Unicode characters
    >
    >
    >
    > I could probably write a regex to require any particular one, but I don't
    > know how to do the "at least three of the following five categories"
    >
    Michael D'Angelo, Jul 27, 2006
    #2
    1. Advertising

  3. Here is a much more reasonable one. Found a sample which helped. Matches
    each of the 4 possible combinations (instead of 24 permutations) of 3 out of
    the 4 categories.

    ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
    Michael D'Angelo, Jul 28, 2006
    #3
  4. "Michael D'Angelo" <> wrote in message
    news:OS$...
    > Here is a much more reasonable one. Found a sample which helped. Matches
    > each of the 4 possible combinations (instead of 24 permutations) of 3 out
    > of the 4 categories.
    >
    > ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
    >
    >


    Hmmm, this seems to work with the .net regular expressions, but does not
    work with the ones built into IE.
    Michael D'Angelo, Jul 28, 2006
    #4
  5. The javascript regex implementation probably doesn't support positive
    lookahead (?=). That's just a guess. The .NET Regex system is very
    powerful by comparison and supports a lot of advanced features such as look
    ahead and look behind and atomic grouping.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Michael D'Angelo" <> wrote in message
    news:O54$...
    >
    > "Michael D'Angelo" <> wrote in message
    > news:OS$...
    >> Here is a much more reasonable one. Found a sample which helped.
    >> Matches each of the 4 possible combinations (instead of 24 permutations)
    >> of 3 out of the 4 categories.
    >>
    >> ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
    >>
    >>

    >
    > Hmmm, this seems to work with the .net regular expressions, but does not
    > work with the ones built into IE.
    >
    Joe Kaplan \(MVP - ADSI\), Jul 28, 2006
    #5
  6. After additional searching, turns out that although it does support
    lookahead, it doesn't quite work the way it should:
    http://regexadvice.com/blogs/mash/archive/2004/10/05/320.aspx

    After some more searching I came across this pattern which does the job:
    http://www.regexlib.com/REDetails.aspx?regexp_id=887

    The only change compared with mine is changing .{8,} at the end to .*, and
    adding another lookahead to enforce the length. A clever workaround for the
    bug!

    Hopefully this saves someone else from the hair-pulling I went through :)

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > The javascript regex implementation probably doesn't support positive
    > lookahead (?=). That's just a guess. The .NET Regex system is very
    > powerful by comparison and supports a lot of advanced features such as
    > look ahead and look behind and atomic grouping.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Michael D'Angelo" <> wrote in message
    > news:O54$...
    >>
    >> "Michael D'Angelo" <> wrote in message
    >> news:OS$...
    >>> Here is a much more reasonable one. Found a sample which helped.
    >>> Matches each of the 4 possible combinations (instead of 24 permutations)
    >>> of 3 out of the 4 categories.
    >>>
    >>> ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
    >>>
    >>>

    >>
    >> Hmmm, this seems to work with the .net regular expressions, but does not
    >> work with the ones built into IE.
    >>

    >
    >
    Michael D'Angelo, Jul 28, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bryan Linton
    Replies:
    0
    Views:
    725
    Bryan Linton
    Feb 14, 2005
  2. Chance Hopkins

    Re: Error Security Policy.

    Chance Hopkins, Jun 28, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    430
    Chance Hopkins
    Jun 28, 2003
  3. Replies:
    3
    Views:
    8,112
    SheikhG1900
    Apr 22, 2011
  4. Replies:
    3
    Views:
    746
    Reedick, Andrew
    Jul 1, 2008
  5. Arkaitz Jimenez
    Replies:
    2
    Views:
    410
    Arkaitz Jimenez
    May 23, 2009
Loading...

Share This Page