Hi, I’d like to present PasswordValidator, a simple easy-to-use enforcer of common corporate-style password rules such as length and character set (i.e. number of minimum characters to use of each class) as well as implementing custom validation rules.
Of course if you can convince the business side of your company to not require specific rules, but instead allow a longer minimum length if the rules are not met that would be better than restrictive character set rules.
Have you thought about supporting a NIST mode to have it follow the NIST Federal Password Guidelines (Section 5.1)? This seems to be pretty standard in areas that I’ve worked as the password requirements. In general it just has a minimum length of 8, a minimum maximum length of 64, any ASCII printable character must be allowed and any unicode character ‘should’ be allowed, pasting should be allowed, a blacklist of compromised values is allowed and it is allowed to block often-guessed patterns such as dictionary words and so forth, more importantly it has this sentence:
No other complexity requirements for memorized secrets SHOULD be imposed.
A library that verifies according to the NIST standards with a lot of configureable optional sets would be very nice.
Thanks, that seems like a reasonable consideration. Perhaps it could be implemented kind of like a preset. I added an issue to track it: https://github.com/axelson/password-validator/issues/4