Password Validation via Regular Expression

I have recently been working on Password validation via regular expression, after so many researches I came across very good quality articles so I recapitulate over here.

When it comes to password validation using regular expressions, things can get a bit complicated. Normally, you want people to enter a “good” password that has a mix of numbers and letters. But you may not care where the numbers and letters appear. So you’re not looking for a “pattern” in the string. You just want a letter somewhere and a number somewhere.

In this first example, the password must be at least 8 characters long and start and end with a letter.

^[A-Za-z]\w{6,}[A-Za-z]$

The ^ looks for something at the start of the string. The brackets indicate the valid character set. So it must start with an upper or lower case letter. After that, the \w means there can be valid alphanumeric characters (numbers 0-9, upper/lower case letters a-z, the underscore) and says there must be at least 6 (but no upper limit). Then comes another set and the $ looks for something at the end of the string. So this statement says there must be a letter, then at least 6 of any alphanumeric characters, then a letter (making 8 the minimum number of characters).

In this second example, the password length doesn’t matter, but the password must contain at least 1 number, at least 1 lower case letter, and at least 1 upper case letter.

^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$

Again, the ^ and $ are looking for things at the start and end. The “\w*” combination is used at both the start and the end. \w means any alphanumeric character, and * means zero or more. You’ll see why it’s “zero or more” in a bit. Between are groupings in parentheses. The “(?” combination is a flag in regular expressions. Basically, they say “apply the following formula, but don’t consume any of the string”. In this example, instead of specifying the order that things should appear, it’s saying that it must appear but we’re not worried about the order.

The first grouping (called an “atom” in “regular expresion speak”) uses the = sign. This means that there must be a match. Other choices are ! for a negative match (the string must not look like this). There are others (more complicated) for preceeding matches and stuff. We can refer you to a regular expression syntax web site for further details.

After the = sign comes “\w*\d”. Again, any alphanumeric character can happen zero or more times, then any digit (\d means any digit from 0 to 9) can happen. So this checks to see if there is at least one number in the string. But since the string isn’t comsumed, that one digit can appear anywhere in the string.

The next atom (grouping) is (?=\w*[a-z]). This is similar to the digit grouping, except it looks for a lower case letter. Again, the lower case letter can appear anywhere, but there has to be at least one.

The third atom is (?=\w*[A-Z]) which looks for an upper case letter somewhere in the string.

At the end is zero or more alphanumeric characters. To match this string, the minimum characters needed is 3 (one upper case letter, one lower case letter, and one number).

In this third example:

  • Must be at least 10 characters
  • Must contain at least one one lower case letter, one upper case letter, one digit and one special character
  • Valid special characters are -   @#$%^&+=

^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

As you can see in the regex, the list of special characters is configurable.

Reference:
Breaking Par Consulting
Anil John’s Blog

Possibly related posts: (automatically generated)

This entry was posted on Tuesday, June 26th, 2007 at 8:08 am and is filed under .NET, General, HTML/DHTML/CSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Password Validation via Regular Expression”

  1. Literacy_Hooligan Says:
    November 9, 2007 at 7:44 am | Reply

    Actually the third example let’s through a HEX expression %00 (null), which in ASCII code means “end of file”. Many viruses operate on %00 and many hackers also use it to bypass the password system.
    I haven’t found a way to change it but i’m working on it and i will post it here soon.

  2. fokeerbux Says:
    February 24, 2008 at 1:38 am | Reply

    hi i’m doing my project on security
    if u can help in this one:
    be between 8 and 12 characters long
    contain at least three of the following:
    one lower case letter (a, b, c etc)
    one upper case letter (A, B, C etc)
    one numeral (1,2,3 etc)
    one of the following characters: ! # £ $ @

  3. David Rogers Says:
    March 5, 2008 at 6:18 am | Reply

    Very nice discussion of regular expression operators used for password validation!

  4. Sosys Says:
    May 11, 2008 at 7:22 am | Reply

    how to get at least one letter and one number and must only letter(s) and numbers?

  5. John Smith Says:
    May 13, 2008 at 1:50 am | Reply

    Very useful information. I was looking for something like this on the web and I’m glad I found this post. Thanks a lot.

  6. Robert Says:
    May 13, 2008 at 4:19 pm | Reply

    Not sure what the problem is. This regex does NOT allow spcial characters of & + =

    could be a problem with the .Net framework

    ^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

    are you aware?

  7. Jared Says:
    September 3, 2008 at 12:06 pm | Reply

    I used the third example in C# for password validation, and find that it allows the user to enter in spaces as characters for the password. How can I edit the regular expression to not allow spaces?

    Using this regex:
    ^.*(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$

  8. Hardik Says:
    April 11, 2009 at 7:11 am | Reply

    superb !
    Thnks

  9. How to Get Six Pack Fast Says:
    April 15, 2009 at 3:39 pm | Reply

    This topic is quite hot in the net at the moment. What do you pay attention to when choosing what to write about?

Leave a Reply