Combining 2 regular expression in web.config passwordStrengthRegularExpression=""

0
votes

I am not able to combine below two regular expressions. Password standard requirement:

  • Password cannot contain your username or parts of your full name exceeding two consecutive characters
  • Passwords must be at least 6 characters in length
  • Passwords must contain characters from three of the following categories
    • Uppercase characters (English A-Z)
    • Lowercase characters (English a-z)
    • Base 10 digits (0-9)
    • Non-alphabetic characters (e.g., !, @, #, $, %, etc.)

Expression:

passwordStrengthRegularExpression="((?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%]).{6,20})"

Passwords cannot contain the word “Test” or “test” or variants of the word

passwordStrengthRegularExpression="((?=.*\"^((?!Test|test|TEST).*)$"

Both are working fine individually.

2
asp.net.netregex
Dont think your first regex is actually working fine if you want to meet the requirements in bullets above it. Clamps to 20 chars but doesn't say you have to. Requires all four of the categories but requirements says 3 of the 4. Doesn't check the username requirement at all. - rtpHarry

2 Answers

2
votes

Because your second regexp primarily uses a negative lookahead, you can remodel that slightly and stick it right at the beginning of the other expression. First, I'm going to change your second regex to:

"(?!.*(?:Test|test|TEST))"

In english, the string may not contain any number of (or zero) characters followed by test.

Then, I'm going to stick that right at the beginning of your other expression

passwordStrengthRegularExpression="^(?!.*(?:Test|test|TEST))(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%]).{6,20}$"

Finally, I'm going to show you how to make only one part of a regex case-insensitive. This may or may not be supported depending on what program this is actually for.

passwordStrengthRegularExpression="^(?!.*(?i:test))(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%]).{6,20}$"

See the (?i:...)? That means that the flags between the ? and the : are applied only to that part of the expression, that is, only that area is case-insensitive.

1
votes

Combining your requirements and https://stackoverflow.com/a/2860380/156388 i've come up with this:

(?=^[^\s]{6,}$)(?!.*(?i:test))((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*

Dont think your first regex is actually working fine if you want to meet the requirements in bullets above it. Clamps to 20 chars but doesn't say you have to. Requires all four of the categories but requirements says 3 of the 4. Doesn't check the username requirement at all. So I've gutted out most of the initial regex.

It matches these (as expected):

Short5
TeSamplePrd6
TEBREaKST6
WinningUser6@

It fails on these (as expected):

SamplePassword
TestUser6@
Shrt5
TeSTTest

Remaining problems

For some reason it matches this:

TEBREKST6

but it only meets two of the four requirements + min length - not sure why?

There is nothing taken into account about the "Password cannot contain your username or parts of your full name exceeding two consecutive characters" requirement and I'm not sure you can even do this through web.config min password requirement as you dont have access to it within the regex.