For one of our current projects I was looking for a way to validate strong passwords with regular expressions. Form field validation requirements are defined as a regex in the database properties for the field, so the easiest way to set up secure passwords was using this method. I found many examples for regular expressions but they all lacked one important feature. To avoid SQL injection issues or html formating issues we need to limit the characters allowed in passwords, and all regular expressions that I found on the web would not allow us to do this. Many of the examples posted also contained useless or redundant patterns. Here is my own pattern, which works in Perl, PHP, Java, and .Net. Needless to say that regex engines based on the old POSIX standard will not support something cryptic like this (read as one line):
(?=^[\w ,\.;:/\!@\#\$%&\*=\-\+\(\)\[\]\{\}\|]{10,}$)(?=.*\d)(?=.*[a-z]) (?=.*[A-Z])(?=.*\W)
- ten or more characters long
- one or more a-z
- one or more A-Z
- one or more 0-9
- one or more ,.;:/!@#$%&*=-+()[]{}| (list includes space)
You can easily test this pattern using online tools for different languages:
Perl (PCRE, surround pattern by “ „)
PHP (surround pattern by # #)
Java
.Net