Reg expression for password complexity requirements

[shimshim]

Hello,

I need help in finding reg expression for password complexity
requirements.
The requirements are:

· No dictionary words;
· At least 1 character must be alphabetical and at least 1 character
must be a digit or a non-alphanumeric character;
· At least 6 characters must occur only once in a password;
· Passwords cannot contain any string that is also contained in the
username;
· Passwords cannot contain any common strings such as a sequential
series of letters (abcd) or a sequential series of numbers (1234) or
pattern of numbers (2468).

Thanks

 

[Evertjan.]

Daniel wrote on 27 mei 2009 in comp.lang.javascript:

Are you sure this is something you want to do on the client side
(javascript)? Isn't this a candidate for the server side checking?

Even as I use VBscript as the main serverside language,
this is a good example where a serverside javascript function
is my favorite.

 

[shimshim]

Are you sure this is something you want to do on the client side
(javascript)? Isn't this a candidate for the server side checking?

I guess "No dictionary words" doesn't need to be in client side but I
was wondering about last three requirements.

Thanks a lot.

 

[Thomas 'PointedEars' Lahn]

I guess "No dictionary words" doesn't need to be in client side but I
was wondering about last three requirements.

STFW, RTFM:

<http://www.google.com/search?q=javascript+regexp&filter=0>
(ignore the w3schoools.com hit)

<https://developer.mozilla.org/En/Core_JavaScript_1.5_Guide/Regular_Expressions>
(Interestingly enough, there is a bit of a duplicate of the Reference:

Thanks a lot.

You're welcome. Please take heed of <http://jibbering.com/faq/#posting> pp.
next time.


PointedEars

 

[Dr J R Stockton]

In comp.lang.javascript message <7d6d7115-5311-4c3f-a0d2-ae3b96ca77b7@x6
g2000vbg.googlegroups.com>, Wed, 27 May 2009 07:53:38,
(e-mail address removed) posted:

I need help in finding reg expression for password complexity
requirements.

Sounds like a specification written by a person of limited intellect.

The requirements are:

· No dictionary words;

Which dictionary? A pocket one? The Full Oxford English Dictionary? A
foreign dictionary?

· At least 1 character must be alphabetical and at least 1 character
must be a digit or a non-alphanumeric character;

Which characters constitute the alphabet? Most dictionaries contain
letters outside the set A to Z. Some languages do not include all of
those letters.

How large is the possible character set? That influences how coding
should be done. Sholes began with 35; JavaScript String.charAt can give
65536 different results, IIRC.

· At least 6 characters must occur only once in a password;
· Passwords cannot contain any string that is also contained in the
username;

That means that no characters can match, since a string can be one
character long.

· Passwords cannot contain any common strings such as a sequential
series of letters (abcd) or a sequential series of numbers (1234) or
pattern of numbers (2468).

Hoe about LNER, 4468, 126, A4, 462, 19380703; 26536, 18285; 20871? All
are well-known, to some. How about 112263? How about SPQR? How about
285714? Your criterion is far too ill-defined. And who would have
considered "Obama" to be a well-known string a decade ago?



Those of your requirements that are implementable are easily done
without using RegExps; for none of those do RegExps seem particularly
useful.

 

[John G Harris]

Hello,

I need help in finding reg expression for password complexity
requirements.
The requirements are:

· No dictionary words;
· At least 1 character must be alphabetical and at least 1 character
must be a digit or a non-alphanumeric character;
· At least 6 characters must occur only once in a password;
· Passwords cannot contain any string that is also contained in the
username;
· Passwords cannot contain any common strings such as a sequential
series of letters (abcd) or a sequential series of numbers (1234) or
pattern of numbers (2468).

Should it accept

alpha beta gamma wonkity

If not, why not?

John

 

[Lasse Reichstein Nielsen]

Hello,

I need help in finding reg expression for password complexity
requirements.

Why must it be a regular expression? Why not use the perfectly good
programming language you have to implement the algorithm you need
instead of restricting yourself to a small, computationally bounded,
subset?

The requirements are:

· No dictionary words;

So you need a list of all dictionary words. Test against that first.

· At least 1 character must be alphabetical and at least 1 character
must be a digit or a non-alphanumeric character;

/[a-z]/i.test(input) && /[^a-z]/i.test(input)

· At least 6 characters must occur only once in a password;

Interesting. I would never do that with regexps.

· Passwords cannot contain any string that is also contained in the
username;

What is a "string contained in the username"? Any letter in the
username is a one-character string. The empty string is also contained
in the username. This should be clarified.

· Passwords cannot contain any common strings such as a sequential
series of letters (abcd) or a sequential series of numbers (1234) or
pattern of numbers (2468).

Again this has to be specified more precisely. Is 4816 a sequential
series? Is 4896? You can't make a test until the requirement is
specified precisely enough that you can say for any string whether
it matches it or not. Examples are not enough.

In summary: There is no way you will ever get something this complex
into a single regexp. And you shouldn't even if you find a way.

/L

 

[Matthias Reuter]

I need help in finding reg expression for password complexity
requirements.
The requirements are:

· No dictionary words;
· At least 1 character must be alphabetical and at least 1 character
must be a digit or a non-alphanumeric character;
· At least 6 characters must occur only once in a password;
· Passwords cannot contain any string that is also contained in the
username;
· Passwords cannot contain any common strings such as a sequential
series of letters (abcd) or a sequential series of numbers (1234) or
pattern of numbers (2468).

Maybe you don't need these tests at all. Read this analysis of password
strength, which comes to the conclusion, that "this is fun" is more secure
than "J4fs<2":

http://www.baekdal.com/articles/Usability/password-security-usability/

Matt