Groups in regex to validate password

ajoao · July 22, 2017, 10:00am

I need to validate the criteria in a password: Must contain at least one capital letter, one lowercase and one or more numbers, the size must be between 6 and 32 characters, can not have any special character or space. Must have all 3 types: Uppercase, lowercase and number.

I have tried several ways but I could not, I looked in the documentation of regex (Elixir and Perl), but I caught here: Regex.run(~r/^[A-Z](?=.*)[a-z](?=.*)[^\W_]{5,30}$/,IO.gets"")

But this regex only allows password starting with the uppercase and does not allow numbers, if I add something like \d(?=.*) or [0-9](?=.*) nothing works.

Just as an example in ES/JS would be: /^(?=.*[A-Z])(?=.*[a-z])(?=.*\d)[^\W_]{6,32}$/

NobbZ · July 22, 2017, 10:18am

Iterate the string, count the used characters per group and compare against your threshlds.

ajoao · July 22, 2017, 10:38am

In a single regex would not it be possible? If so, would you have an example?

wmnnd · July 22, 2017, 12:35pm

Like @NobbZ pointed out, using a regular expression is not ideal in this situation. It will obfuscate what you’re actually doing, might introduce obscure bugs and you won’t be able to give meaningful error messages.

ajoao · July 22, 2017, 1:28pm

Okay, I’ll implement it cleaner, anyway I wanted to explore more regex in Elixir, but thanks.

ryh · July 22, 2017, 2:21pm

Here’s an implementation that doesn’t use regex, but it’s kind of ugly:

defmodule PasswordValidator do

  @valid_upper 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  @valid_lower 'abcdefghijklmnopqrstuvwxyz'
  @valid_num '0123456789'

  def validate(pass) do
    chars =
      pass
      |> String.to_charlist()

    valid_length?(chars) and has_valid_chars?(chars) and has_required_chars?(chars)
  end

  defp valid_length?(chars) when is_list(chars) do
    length(chars) >= 6 and length(chars) <= 32
  end

  defp has_valid_chars?(chars) when is_list(chars) do
    Enum.all?(chars, &validate_char/1)
  end

  defp has_required_chars?(chars) when is_list(chars) do
    [&has_upper/1, &has_lower/1, &has_num/1]
    |> Enum.all?(&Enum.any?(chars, &1))
  end

  defp validate_char(char) do
    has_upper(char) or has_lower(char) or has_num(char)
  end

  defp has_upper(char) do
    char in @valid_upper
  end

  defp has_lower(char) do
    char in @valid_lower
  end

  defp has_num(char) do
    char in @valid_num
  end
end

ajoao · July 22, 2017, 6:16pm

Cool guy, thanks a lot

OvermindDL1 · July 24, 2017, 4:44pm

Or using my ExSpirit parsing library (untested but should be close enough:

defmodule PasswordValidator do
  use ExSpirit.Parser, text: true

  def validate(pass) do
    case parse(pass, valid_chars()) do
      %{error: nil, rest: ""} -> :ok
      %{error: nil} -> {:error, "Password is too long, keep it below 32 characters"}
      %{error: error} -> {:error, "Password must be between 6-32 characters and only alpha-
numeric, failure message:  #{Exception.message(error}"}
    end
  end

  defrule valid_char(char([?A..?Z, ?a..?z, ?0..?9]))

  defrule valid_chars(repeat(valid_char(), 6, 32)
end

Or so.

axelson · August 2, 2017, 7:09am

@ajoao or anyone else interested in this. Partially inspired by this thread (and the fact that there didn’t appear to be any password validators or checkers on hex) I’ve created a simple password validator library:

The original requirements would look like this with PasswordValidator:

opts = [
  length: [min: 6, max: 32],
  character_set: [
    lower_case: 1,  # at least one lower case letter
    upper_case: 1,  # at least one capital letter
    numbers: 1,  # at least one numbers
    special: [0, 0],  # no special characters allowed
  ]
]

changeset
|> PasswordValidator.validate(:password, opts)

Please feel free to check it out and give me any feedback (including on the code structure). I’ll probably try to do some sort of larger forum post in the near future but wanted to mention it here first.

OvermindDL1 · August 2, 2017, 8:46pm

Cool.

You could also replace the functionality of this password strength checker. ^.^

don’t really do that ^.^;

axelson · August 2, 2017, 8:54pm

Yeah that would be a great next step!

But actually that led me to zxcvbn which is an entropy-based checker. That would be interesting to tackle and is currently missing an Elixir implementation. Also I am agreed that validating based on types of characters is not very useful (but I really just wanted to try my hand at a library).

OvermindDL1 · August 2, 2017, 9:28pm

That would be awesome to port to elixir!!

riverrun · August 3, 2017, 3:04am

I have worked on this password strength checker for some time, and it’s recently been updated to work with the newer NIST recommendations. As well as checking length and for certain common combinations, it also checks for common passwords (with certain changes made to them, like leet substitution, characters added to the beginning / end of the common password, etc.), and the common password list is configurable.

Having said that, in many cases I would recommend a good front-end solution, such as the previously mentioned zxcvbn, which also checks for common passwords (with changes). The reason why I am suggesting zxcvbn is that it provides more immediate feedback to the user, and that can be very useful when encouraging users to choose strong passwords.

techgaun · March 22, 2019, 2:42am

Sorry to bump an old thread but this was something that I needed as well. I went ahead and ported the zxcvbn for Elixir. Hopefully, this turns out to be useful for others coming back to this thread.

axelson · March 22, 2019, 3:32am

Nice, property based oracle testing using zxcvbn.js: https://github.com/techgaun/zxcvbn-elixir/blob/d792346c2ab05763112223702df67ec09cab16ee/test/zxcvbn_test.exs

axelson · April 5, 2019, 6:44pm

Just released version 0.3.0 of GitHub - axelson/password-validator: A Elixir library to validate passwords, with built-in validators for password length as well as the character sets used with support for zxcvbn via @techgaun’s zxcvbn-elixir