1

I am experimenting with the use of regex to check password complexity with MVC4 data annotations. I started with a simple regex to check for length, but the following does not work with strings of any length. What error am I making?

[RegularExpression(@"^(?=.{8,})$", ErrorMessage = "Password not strong enough")]
[Required]
[DataType(DataType.Password)]
public string Password { get; set; }
Improve this question
3
  • 1
    Why regex ? just use StringLength attribute Commented Jan 18, 2014 at 0:42
  • @Selman22 - It appears like he is wanting to enforce some complexity requirements (upper, lower, numeric) as well as length and this is his starting point. Commented Jan 18, 2014 at 1:00
  • Thanks @Tommy, that is exactly right. I was trying to understand regexes before using them. For some reason, none of the resources I found online explained it as nicely as most of the posts here. Commented Jan 18, 2014 at 1:38

2 Answers 2

Reset to default
2

As far as the simple regex you were trying goes, you can just use:

^.{8,}$

You don't want the forward lookup (?=). See my description of why this is the case at the end.

For simple string length checking, you can just use the StringLength length attribute if you are using asp.net 4.0:

[StringLength(8, MinimumLength=1)]

(Note: as Tommy pointed out in the comments, you would want a regex for the full password checking). If you are looking for more complex password regexes, then I suggest you look at tommy's answer and here and here to begin.

Why (?=) doesn't work

  • ^ - match the start of the string.
  • .{8,} - Then look forward and see if there are at least 8 characters. (remember forward lookup doesn't change the test position so this will still be the start of the string).
  • Have we reached the end ($)? No -> Fail.

Another example is that .+(?=.{8,})$ will fail because there is no such position in the string that is followed by 8 characters and the next character from the test position is the end of string $.

A final example is ^.(?=.{7,}) which will match the first character of an (at least) 8 character string. This is because only the first character is preceeded by the beginning ^

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

I don't think you would want a minimum length of 1 for a password. I think what he is wanting to do is a) ensure that it is at least 8 characters and b) using regex, verify complexity of a password string such as upper case, lower case, numeric values.
@Tommy - he said that his simple regex does not enforce the minimum string length in the simple starting case. This is because his regex would not do that - he was using a forward lookup where he shouldn't.
I was more referencing your use of the StringLength attribute (MinimumLength=1) :)
Ah, yes - I mainly mentioned that as an alternative to a regex for length check. But, I take you point - I have modified. Thanks.
Thanks @acarlon for the excellent explanation, I now have a much better understanding of interpreting regexes.
|
2

Given that you want to verify length as well as some other password complexity rules based on your opening sentence, I recommend that you check out some of the Regex blogs concerning "Password Complexity Regex" on the internet. For example, if you wanted to ensure that a password was at least 8-20 characters long and contained one upper and one lower case letter as well as a number, you would use the following regex

((?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,20})

Which basically breaks down to, I need at least 8 (no more than 20) characters, at least one must be a number, at least one must be a-z and at least one must be A-Z. There are other examples and bits that you can put together.

For testing your regex, I would recommend a regex testing site such as http://regexhero.net/tester/. In conjunction with the MSDN, you should be able to make some pretty nifty expressions.

Improve this answer

5 Comments

Thanks very much, I now have a much, much better understanding of what these expressions mean.
@Manish - glad to help, thats why we are here. Remember that if acarlon or my answers provided you the help you needed, to mark one as accepted (green checkmark) :)
If you read that blog entry, be sure and read ridgerunner's comment concerning the leading .* in the author's regex. That's a very common mistake.
@AlanMoore - good point. I wanted to provide some examples of blogs without saying "Google it", but didn't read too much into the accuracy. Your comment did make me double check my example to ensure I didn't replicate!
Oh, good point @Tommy, I was using upticks, just marked acarlon's answer for the explanation

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.