Regex for default AD policy?

[Michael D'Angelo]

I'm not too familiar with writing regexes. Does anyone have a regex handy
that mirrors the default complexity requirements for AD. I know there are a
few additional reasons a password change could fail, but I'm hoping to at
least save the trouble of trying to change the password for some of the
time. (This is for an ASP.NET site using a modified AD MembershipProvider).

The requirements MS describes are:
The password contains characters from at least three of the following five
categories:
. English uppercase characters (A - Z)

. English lowercase characters (a - z)

. Base 10 digits (0 - 9)

. Non-alphanumeric (For example: !, $, #, or %)

. Unicode characters



I could probably write a regex to require any particular one, but I don't
know how to do the "at least three of the following five categories"

 

[Michael D'Angelo]

Well I came up with the following which seems to do it (minus unicode
characters.) I'm not too happy with it given I had to account for all 24
different possible 3-way combination of the 4 categories.

..*(([a-z]+)([A-Z]+)([0-9]+)|([a-z]+)([0-9]+)([A-Z]+)|([a-z]+)([A-Z]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([A-Z]+)|([a-z]+)([0-9]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([0-9]+)|([A-Z]+)([a-z]+)([0-9]+)|([A-Z]+)([0-9]+)([a-z]+)|([A-Z]+)([a-z]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([a-z]+)|([A-Z]+)([0-9]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([0-9]+)|([0-9]+)([A-Z]+)([a-z]+)|([0-9]+)([a-z]+)([A-Z]+)|([0-9]+)([A-Z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([A-Z]+)|([0-9]+)([a-z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([a-z]+)|([^A-Za-z0-9]+)([A-Z]+)([0-9]+)|([^A-Za-z0-9]+)([0-9]+)([A-Z]+)|([^A-Za-z0-9]+)([a-z]+)([A-Z]+)|([^A-Za-z0-9]+)([A-Z]+)([a-z]+)|([^A-Za-z0-9]+)([0-9]+)([a-z]+)|([^A-Za-z0-9]+)([a-z]+)([0-9]+)).*

Only thing missing is requiring a minimum length, but I don't see how one
could do that after matching.

 

[Michael D'Angelo]

Here is a much more reasonable one. Found a sample which helped. Matches
each of the 4 possible combinations (instead of 24 permutations) of 3 out of
the 4 categories.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$

 

[Michael D'Angelo]

Here is a much more reasonable one. Found a sample which helped. Matches
each of the 4 possible combinations (instead of 24 permutations) of 3 out
of the 4 categories.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$

Hmmm, this seems to work with the .net regular expressions, but does not
work with the ones built into IE.

 

[Joe Kaplan \(MVP - ADSI\)]

The javascript regex implementation probably doesn't support positive
lookahead (?=). That's just a guess. The .NET Regex system is very
powerful by comparison and supports a lot of advanced features such as look
ahead and look behind and atomic grouping.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Here is a much more reasonable one. Found a sample which helped.
Matches each of the 4 possible combinations (instead of 24 permutations)
of 3 out of the 4 categories.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$

Hmmm, this seems to work with the .net regular expressions, but does not
work with the ones built into IE.

 

[Michael D'Angelo]

After additional searching, turns out that although it does support
lookahead, it doesn't quite work the way it should:
http://regexadvice.com/blogs/mash/archive/2004/10/05/320.aspx

After some more searching I came across this pattern which does the job:
http://www.regexlib.com/REDetails.aspx?regexp_id=887

The only change compared with mine is changing .{8,} at the end to .*, and
adding another lookahead to enforce the length. A clever workaround for the
bug!

Hopefully this saves someone else from the hair-pulling I went through

The javascript regex implementation probably doesn't support positive
lookahead (?=). That's just a guess. The .NET Regex system is very
powerful by comparison and supports a lot of advanced features such as
look ahead and look behind and atomic grouping.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--

Here is a much more reasonable one. Found a sample which helped.
Matches each of the 4 possible combinations (instead of 24 permutations)
of 3 out of the 4 categories.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$

Hmmm, this seems to work with the .net regular expressions, but does not
work with the ones built into IE.