1

My web application will generate the password on registration form. But user are allow to change password by it they want.

When user enter the password, it must follow our password policy.

Our password policy is :

  1. The password length must be greater than or equal to 8
  2. The password must contain one or more uppercase characters
  3. The password must contain one or more lowercase characters
  4. The password must contain one or more numeric values
  5. The password must contain one or more special characters

The regex is (?=^.{8,}$)(?=.\d)(?=.[.!@#$%^&]+)(?![.\n])(?=.[A-Z])(?=.[a-z]).$

This is my C# code to generate password : 

Regex passPattern = new Regex("(?=^.{8,}$)(?=.*\\d)(?=.*[!@#$%^&*]+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$");

    var password = System.Web.Security.Membership.GeneratePassword(10,2);

    while (true)
    {
    if (!passPattern.IsMatch(password))
       {
         password = System.Web.Security.Membership.GeneratePassword(10, 2);                                   
       }
       else
       {
        break;
       }    
    }

It will loop and keep generate the password until it match.

On the form, I also validate the password policy by using Jquery. Here the code snippet :

<script type="text/javascript">

$('#newPassword').keyup(function(e) {
    var strongRegex = new RegExp("(?=^.{8,}$)(?=.*\d)(?=.*[!@@#$%^&*]+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$", "g");       
    var enoughRegex = new RegExp("(?=.{8,}).*", "g");


    if (false == enoughRegex.test($(this).val())) {
        $('#passstrength').html('More Characters');
    }
    else if (strongRegex.test($(this).val())== true) {          
        $('#passstrength').html('Meet Our Password Policy!');
    }
    else {      
        $('#passstrength').html('Please insert strength password!');
    }

    return true;
});

So the result :

  1. A%rI_2{l#Y = Not match
  2. [email protected] = Match
  3. 2@C*DjDQdJ = Match
  4. ex@#XcINQ0 = Not Match

As you see, not all the password is match. All this value have been tested at regex101.com & regexpal.com and all the result is match.

So how can solved this problem?

p/s: I using razor engine in my page, so you can see double '@' on my regex in jquery.

Improve this question
4
  • 1
    You have made at least 2 basic mistakes: 1) never use /g with RegExp.test() and 2) do not use a constructor notation when the pattern is known, use a literal regex notation (or you have to double backslashes) (that is, use var strongRegex = /^(?=.{8,}$)(?=.*\d)(?=.*[!@@#$%^&*]+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$/;). Instead of var enoughRegex = new RegExp("(?=.{8,}).*", "g");, you really could just check the password length. BTW, why use (?![.\n])? There seems to be no requirement Does not start with a dot or a line feed. Commented Feb 15, 2016 at 9:54
  • Does it really need to be regex? It would be much easier to implement and read without it (along with more informed errors why the password was invalid) Commented Feb 15, 2016 at 9:55
  • Why are you not just using a [RegularExpression] attribute applied to you model property so you get both client and server side validation out of the box without any of this code? Commented Feb 15, 2016 at 9:58
  • @StephenMuecke: Note that the validations are different on server and client side. That is also a good question, BTW. Commented Feb 15, 2016 at 9:59

1 Answer 1

Reset to default
1

The problems with the code are:

  • /g modifier used in a regex that is later used in RegExp#test() (see this SO post)
  • single backslashes shorthand character classes in a constructor RegExp notation (see another post on this)

Also, note that checking the length of a string is better done with a regular string length check method:

$('#newPassword').keyup(function(e) {
    var strongRegex = /^(?=.*\d)(?=.*[!@@#$%^&*]+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).{8,}$/;       
    // Use the literal regex notation so as not to double escape \ symbols!  Else,
    // var strongRegex = RegExp("^(?=.*\\d)(?=.*[!@@#$%^&*]+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).{8,}$");
    if ($(this).val().length < 8) {   // no need in the enoughRegex
        $('#passstrength').html('More Characters');
    }
    else if (strongRegex.test($(this).val())) {          
        $('#passstrength').html('Meet Our Password Policy!');
    }
    else {      
        $('#passstrength').html('Please insert a strong password!');
    }

    return true;
});
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I still am not sure what you want to express with (?![.\n]). Right now, it will mean Does not start with a dot or a line feed.
Forgot to mention, our policy password is not allowed to put dot on first character. Just follow my boss instructions. No idea why. BTW, is working!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.