A sensible PasswordStrengthRegularExpression

Question

We\'re using the standard ASP.NET authentication provider (AspNetSqlMembershipProvider as it happens) and the defualt password strength requirement is a little excessive for our

Answer 1

We just implemented the following expression to validate a pwd of 8 to 16 characters and contain three of the following 4 items: upper case letter, lower case letter, a symbol, a number

(?=^[^\s]{8,16}$)((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*

An explanation of individual components:

• (?=^[^\s]{8,16}$) - contain between 8 and 16 non-whitespace characters
• (?=.*?\d) - contains 1 numeric
• (?=.*?[A-Z]) - contains 1 uppercase character
• (?=.*?[a-z]) - contains 1 lowercase character
• (?=.*?[^\w\d\s]) - contains 1 symbol

notice after the length segment the double parens and later in the expression you'll see several |'s. This allows for the either/or comparison of the 4 possible combinations that are allowed.

After writing this I just noticed this question was asked over a year ago. Since I had come across this question in my search I hope someone else can also benefit from our solution.

Answer 2

Here is a regex that allows all characters and requires at least one number and requiring at least 6 characters.

^.*(?=.{6,})(?=.*\d).*$

If you want more or less characters defined simply change (?=.{6,}) to reflect the number of characters you want as a minimum.