1

I've a pretty good password validation, but I would like to add some more functionality.

You can see an example here http://jsfiddle.net/yfM5T/22/

Currently I've a password that checks, 7 chars, 1 upper case, 1 digit and 1 special character and even it won't allow white space.

But I want to add

  1. password doesn't contains 9 consecutive numbers (because some people use phone numbers as passwords, e.g. it won't take Pass@123456789 but Pass123456@789 is ok)
  2. Not same as the log-in name
  3. Not more than two repeating characters (saaga is ok but saaaga is not allowed)

Bonus if the password validation tool tip shows the white space validation message only if the user put a white space rather than showing onfocus (only for the white space, 9 consequtive numbers, username etc.)

Improve this question
13
  • 14
    Something interesting to think about. The more rules you apply, the more homogenized your passwords become. Then they are easier to brute force. Just saying Commented Nov 11, 2011 at 15:38
  • 10
    Read: xkcd.com/936 Commented Nov 11, 2011 at 15:39
  • Because its banking solutions so password rules is very important. My manager decides everything :(.. Commented Nov 11, 2011 at 15:40
  • 3
    If you must do this sort of thing (and generally it really irritates me, and causes lots of customer support issues when people forget their passwords), it'd be better to do some general statistical analysis on the characters used instead of applying the sort of "rules" you describe, which probably have no analytical basis for improving security. Just my opinion :-) Commented Nov 11, 2011 at 15:40
  • I think you're crossing the line between securing, and annoying your users. Forcing them to use at least one uppercase or perhaps a number will secure it enough, as long as you're storing them properly on your end. Remember, most people get hacked through social engineering and not actual hacking/brute force attacks. However, if you're just trying to force your users not to use their username, than that's a simple if statement. If you don't want them to use phone numbers, use a regular expression. Commented Nov 11, 2011 at 15:41

1 Answer 1

Reset to default
2
  • 1) ^(?!.*\d{9}.*)
  • 3) ^(?!.*([a-zA-Z])\1\1)

For the second rule just use a string comparison with the username.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.