A sensible PasswordStrengthRegularExpression - asp.net

We're using the standard ASP.NET authentication provider (AspNetSqlMembershipProvider as it happens) and the defualt password strength requirement is a little excessive for our needs.
We require our users to enter a password that is alphanumeric at least (i.e, letters and at least one number mandatory, mixed case and non-alphanumeric characters if the user so desires).
Can anyone suggest what PasswordStrengthRegularExpression setting would achieve this?
Also, how can we control the error message shown to the user if the password they try to use fails the regular expression check?
Note
It was found that the minRequiredNonalphanumericCharacters property must be set to 0, otherwise this setting overrides any regular expression that is used

We just implemented the following expression to validate a pwd of 8 to 16 characters and contain three of the following 4 items: upper case letter, lower case letter, a symbol, a number
(?=^[^\s]{8,16}$)((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*
An explanation of individual components:
(?=^[^\s]{8,16}$) - contain between 8 and 16 non-whitespace characters
(?=.*?\d) - contains 1 numeric
(?=.*?[A-Z]) - contains 1 uppercase character
(?=.*?[a-z]) - contains 1 lowercase character
(?=.*?[^\w\d\s]) - contains 1 symbol
notice after the length segment the double parens and later in the expression you'll see several |'s. This allows for the either/or comparison of the 4 possible combinations that are allowed.
After writing this I just noticed this question was asked over a year ago. Since I had come across this question in my search I hope someone else can also benefit from our solution.

Here is a regex that allows all characters and requires at least one number and requiring at least 6 characters.
^.*(?=.{6,})(?=.*\d).*$
If you want more or less characters defined simply change (?=.{6,}) to reflect the number of characters you want as a minimum.

Related

Combining 2 regular expression in web.config passwordStrengthRegularExpression=""

I am not able to combine below two regular expressions. Password standard requirement:
Password cannot contain your username or parts of your full name
exceeding two consecutive characters
Passwords must be at least 6 characters in length
Passwords must contain characters from three of the following categories
Uppercase characters (English A-Z)
Lowercase characters (English a-z)
Base 10 digits (0-9)
Non-alphabetic characters (e.g., !, #, #, $, %, etc.)
Expression:
passwordStrengthRegularExpression="((?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[##$%]).{6,20})"
Passwords cannot contain the word “Test” or “test” or variants of the word
passwordStrengthRegularExpression="((?=.*\"^((?!Test|test|TEST).*)$"
Both are working fine individually.
Because your second regexp primarily uses a negative lookahead, you can remodel that slightly and stick it right at the beginning of the other expression. First, I'm going to change your second regex to:
"(?!.*(?:Test|test|TEST))"
In english, the string may not contain any number of (or zero) characters followed by test.
Then, I'm going to stick that right at the beginning of your other expression
passwordStrengthRegularExpression="^(?!.*(?:Test|test|TEST))(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[##$%]).{6,20}$"
Finally, I'm going to show you how to make only one part of a regex case-insensitive. This may or may not be supported depending on what program this is actually for.
passwordStrengthRegularExpression="^(?!.*(?i:test))(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[##$%]).{6,20}$"
See the (?i:...)? That means that the flags between the ? and the : are applied only to that part of the expression, that is, only that area is case-insensitive.
Combining your requirements and https://stackoverflow.com/a/2860380/156388 i've come up with this:
(?=^[^\s]{6,}$)(?!.*(?i:test))((?=.*?\d)(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[^\w\d\s])(?=.*?[a-z])|(?=.*?[^\w\d\s])(?=.*?[A-Z])(?=.*?[a-z])|(?=.*?\d)(?=.*?[A-Z])(?=.*?[^\w\d\s]))^.*
Dont think your first regex is actually working fine if you want to meet the requirements in bullets above it. Clamps to 20 chars but doesn't say you have to. Requires all four of the categories but requirements says 3 of the 4. Doesn't check the username requirement at all. So I've gutted out most of the initial regex.
It matches these (as expected):
Short5
TeSamplePrd6
TEBREaKST6
WinningUser6#
It fails on these (as expected):
SamplePassword
TestUser6#
Shrt5
TeSTTest
Remaining problems
For some reason it matches this:
TEBREKST6
but it only meets two of the four requirements + min length - not sure why?
There is nothing taken into account about the "Password cannot contain your username or parts of your full name exceeding two consecutive characters" requirement and I'm not sure you can even do this through web.config min password requirement as you dont have access to it within the regex.

Phone number regex

I need regular expression for phone number.
(from 0 to 9) (total 10 digits)
Example: "0123456789"
Normally a \d{10} would do the trick. But that is the lazy-man's way of validating as '0000000000' would pass a a valid entry.
But in case you know more about the domain, and the rules (I mean, if your phone number belongs to a specific country) and you want to make sure the number matches the local rules, then you can be a little bit more specif.
For example if all the numbers are starting with a leading zero, you can do this
0\d{9}
Or if the prefixes are well know... you can make an expression that allows phone numbers only starting with certain prefix(es).
(017|016|019|012)\d{7}
This will allow only those prefixes in the list, plus other 7 digits.
Use this pattern and match it:
\d{10}
\d : digits only.
{n}: numbers of occurrences.
You can refer this post for more info. Regex for Phone number
its simple:
\d{10}
\d allows digits, and {10} indicates that the phone number must be exactly 10 digits long.
As you mentioned in the comment that you also want a regex for 012-345-6789, (\d{3}-){2}\d{4} would do the work.
(\d{3}-) would validate the first 3 digits and a -
(\d{3}-){2} would look for two occurrence of the above described group. So will validate: 012-345- And at last \d{4} will look for the last 4 digits

ASP.Net Regular Expression Validator no spaces

I'm trying to set up a validation expression for an ASP.Net Regular Expression Validator control. It is for validating the creation of a user name, so I want to limit the number of characters, and I also want to prevent them from using spaces. Here's what I've got so far:
^.*(?=.{5,20})(?=.*\w{5,255}).*$
The \w{5,255} part prevents spaces and special characters (except for underscores, apparently). I have no idea how "5,255" makes it work, but it does; I just copied it from somewhere else.
The main problem I'm having is that if the first or last character is a space (or special character), it passes validation, which is not acceptable. Can anyone help me? I'm sure it is something simple, but I know next to nothing about regular expressions.
You can use something simpler like this:
^[a-zA-Z0-9_]{5,255}$
This will allow alphanumeric usernames between 5-255 characters in length.
(let's expand overall understanding of how to at least use regex!)
The main reason why the posted regex wasn't working is because you were attempting to use lookahead. Lookahead is a 0-length pattern that just guarantees that the next part of the string will match a certain pattern (and is usually used to take advantage of it being 0-length, so it doesn't expand your capturing group).
Effectively, what your regex (going off of the original /^.(?=.{5,20})(?=.\w{5,255}).*$/) meant was:
^. "The beginning of our line should match any single character (provided it's not a newline, although this depends on the regex implementation as well as flags that may or may not have been passed in)"
(?= "and guarantee that after here"
.{5,20}) are any 5-20 characters."
(?= "Also, after that same first character (since, remember, lookahead is 0-length), guarantee"
. "one arbitrary character"
\w{5,255}) "and 5-255 word characters."
.*$ And of course, since all of that exhaustive matching was 0-length, we want the rest of the line to be an arbitrary number of characters."
What you technically could have done to use lookaround was ^(?=\w{5,255}).{5,255}$, but that's just overly convoluted. I'd suggest just using \w{5,255} or something along those lines.

Regular expression in ASP.net

I wrote regular expression for phone no as ^[0]\d{9,10} (phone no should start with 0). This works fine.
But I want to omit the option repeating 0's. i.e 0000000000
How can I add this bit to it.
^0(?!0*$)\d{9,10}$
might be what you want.
The first number is a 0.
The (?!0*$) negative lookahead ensures that the rest of the string is not all zeroes.
And finally \d{9,10} matches any 9 or 10 digits.
You could specify [1-9] as the second digit instead of \d, like so:
^[0][1-9]\d{8,9}$
(I presume the rest of the digits could still be zeros)
I do note that your phone number format is fairly limited. For example, it doesn't allow for international numbers (starting with a plus sign), nor for any common formatting characters such as brackets spaces or hyphens. It also assumes that all phone numbers will be 10 or 11 digits long, which is (mostly) true in the UK and probably other countries, but may not always be the case.
Depending on the requirements of your system, you may want to adjust to take some of those points into account.

Validation to allow space for phone numbers

i have a validation in my .net textbox where it will take only numbers
but when i put the the phone format like
080 234234
it will not accept because of a space
how to resolve this ?
could anyone help in regular expression ?
Current expression is this [0-9]+
Simply add space to characters range:
[0-9][0-9 ]*
You can also add start and stop indicators:
^[0-9][0-9 ]*$
EDIT:
number must start with digit followed with digits or spaces (zero or more).
You could use
([0-9]+\s*)+
or
(\d+\s*)+
either of which would allow one or more groups of digits followed by optional whitespace
Really, the best way to deal with this is to remove all non-digit characters, then do whatever additional validation you may require, such as the number of digits or whether the number begins with a valid area code/country code, on what's left. That way it doesn't matter whether the number is entered as (assuming US numbers here) 987-654-3210, (987) 654-3210, 987 654 3210, 9876543210, 9 8 7-6.54321 0, or whatever else.
Concentrate on validating what's meaningful in the input (the digits) and not incidental details which really don't matter (how the digits are grouped or formatted).

Resources