This is off topic - but I thought I would throw it in for free: Forcing an extended character set (upper case, numbers, special characters) on the user frequently does not lead to good security. First, from the mathematical side, the length of the password has much more bearing on how difficult it is to crack than the added complexity gained from using an extended character set. So sliggyfiverbotgar is much harder to crack than ^%tgYh. As a practical matter, passwords longer than 10 characters are not generally breakable - even when composed of mostly English words. Each extra character adds so many permutations that you need to be the NSA to brute force longer passwords. On the social engineering side. If you force average users to use an extended character set they have a hard time remembering them. If they can't easily remember them they write them down and all too frequently post them next to their monitor. It's all a balancing act - and it varies by situation. I usually go for what you have - minimum of 8 characters, with at least one number. Sometimes I require mixed case also. I don't force special characters as that tends to make too many users write down their passwords.
_____ From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Monday, March 09, 2009 10:28 AM To: discussion@acfug.org Subject: [ACFUG Discuss] Password CFinput regular expression - throws alert/error after correction also Hi there, I have this code which checks if password is strong i.e. atleast 8 characters long, consiting of one Upper case and one Lower case and one Number.and if not alerts the user about it. I am using a regular expression to do this as u can see from code below. The problem is that once the alert is displayed, even if the user corrects the error and enters a strong password, the error alert does not go away. For example, if i entered password for the first time, then obviously I will get alert saying password is not strong. Then, afterwards if i correct password to be lets say Leave1234 which is 9 chars, has one uppper case, one lower case and has a number also, I still end up getting password not strong message. I tried removing onBlur,OnSubmit one at a time but doesnt work. Any ideas???? Here is the code New Password: <!--- some possible regular expressions i used new_password ---> <!--- ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$ or ---> <cfinput type="password" name="new_password" validate="regular_expression" pattern="^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$" validateat="onBlur,onSubmit,onServer" message="Your password is not strong. Your password should be atleast 8 characters long, consiting of one Upper case and one Lower case and one Number." > <Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date: 03/08/09 17:17:00 ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
