正则密码 Regex and Password complexity policy

Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters

回答1

Minimum eight characters, at least one letter and one number:

"^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$"

Minimum eight characters, at least one letter, one number and one special character:

"^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$"

Minimum eight characters, at least one uppercase letter, one lowercase letter and one number:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$"

Minimum eight characters, at least one uppercase letter, one lowercase letter, one number and one special character:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$"

Minimum eight and maximum 10 characters, at least one uppercase letter, one lowercase letter, one number and one special character:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,10}$"

 

回答2

You may use this regex with multiple lookahead assertions (conditions):

^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$

This regex will enforce these rules:

• At least one upper case English letter, (?=.*?[A-Z])
• At least one lower case English letter, (?=.*?[a-z])
• At least one digit, (?=.*?[0-9])
• At least one special character, (?=.*?[#?!@$%^&*-])
• Minimum eight in length .{8,} (with the anchors)

 

Password Special Characters

The same list as string (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"

Various operating systems and applications may apply limitations to this set:

• Oracle Identity Manager and Microsoft Active Directory

 

 

可用的筛选密码复杂度的正则

如果密码规则，要求至少一个数字，至少一个小写字母，至少一个大写字幕，至少一个特殊字符的话,并且最小长度为10，最大长度为50的话。

(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[ !"#$%&'()*+,-.\/:;<=>?@[\]^_`{|}~]).{10,50}

https://regexper.com/#%28%3F%3D.*%5Ba-z%5D%29%28%3F%3D.*%5BA-Z%5D%29%28%3F%3D.*%5Cd%29%28%3F%3D.*%5B%20!%22%23%24%25%26'%28%29*%2B%2C-.%5C%2F%3A%3B%3C%3D%3E%3F%40%5B%5C%5D%5E_%60%7B%7C%7D~%5D%29.%7B10%2C50%7D

看图解析的话，预查匹配可以先跳过，直接看后面的， .{10,50}任意字符，最小10个，最多50个。然后再进行非获取匹配。

 

Example:

/(?=.[A-Z])(?=.[a-z])(?=.*[0-9])[a-zA-Z0-9]{8,15}/

 

 

密码长度限制

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Implement Proper Password Strength Controls

A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:

• Password Length

  • Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).
  • Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. It is important to set a maximum password length to prevent long password Denial of Service attacks.

  • Some password hashes such as Bcrypt truncate the input, so a shorter maximum length may be required, as discussed in the Password Storage Cheat Sheet.

    When selecting a maximum password length, consider whether the hashing algorithm to be used has any limitations because some have a maximum password length.

• Do not truncate passwords. Make sure that every character the user types in is actually included in the password.

• Allow usage of all characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted.

• Ensure credential rotation when a password leak, or at the time of compromise identification.

• Include password strength meter to help users create a more complex password and block common and previously breached passwords

  • zxcvbn library can be used for this purpose. (Note that this library is no longer maintained)
  • Pwned Passwords is a service where passwords can be checked against previously breached passwords. You can host it yourself or use API.

 

Long password denial of service

By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

This vulnerability was detected by sending passwords with various lengths and comparing the measured response times. Consult details for more information.

Remediation

The password hashing implementation must be fixed to limit the maximum length of accepted passwords.

 

 

错误的正则

(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{8,25}这个正则需要修改为(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{8,15}才可以

(?=是用来做正向匹配的)  (?=pattern)

非获取匹配，正向肯定预查，在任何匹配pattern的字符串开始处匹配查找字符串，该匹配不需要获取供以后使用。

例如，“Windows(?=95|98|NT|2000)”能匹配“Windows2000”中的“Windows”，但不能匹配“Windows3.1”中的“Windows”。

预查不消耗字符，也就是说，在一个匹配发生后，在最后一次匹配之后立即开始下一次匹配的搜索，而不是从包含预查的字符之后开始。

 

https://regexr.com/3bfsi  别人提供的密码正则

 

 

https://owasp.org/www-community/password-special-characters

密码中允许使用的特殊字符

https://docs.oracle.com/cd/E11223_01/doc.910/e11197/app_special_char.htm#MCMAD416

(pattern)匹配pattern并获取这一匹配。

(?=pattern) 非获取匹配，正向肯定预查，在任何匹配pattern的字符串开始处匹配查找字符串，该匹配不需要获取供以后使用。

例如，“Windows(?=95|98|NT|2000)”能匹配“Windows2000”中的“Windows”，但不能匹配“Windows3.1”中的“Windows”。预查不消耗字符，也就是说，在一个匹配发生后，在最后一次匹配之后立即开始下一次匹配的搜索，而不是从包含预查的字符之后开始。

 

作者:Chuck Lu    GitHub