On Mon, 17 Feb 2003, Abigail wrote:
[...]
> > 1. It must be at least 6 characters
> >
> > 2. It must contain at least one lower case letter [a-z]
> >
> > 3. It must contain at least one upper case letter [A-Z]
> >
> > 4. It must contain at least one number [0-9]
> >
> > 5. Optionally, it can cover for accepted non-alphanumeric chars such as
> > "_", "-" etc (but not "#"), and a maximum password length of 14
> > characters
>
> I'm not going to claim this is the shortest solution, but this
> is very straightforward (and untested):
>
> /^(?=.{6}) # At least 6 characters long.
> (?=.*[a-z]) # Contains a lowercase letter.
> (?=.*[A-Z]) # Contains an uppercase letter.
> (?=.*[0-9]) # Contains a digit.
> (?=.*[-_]) # Contains a dash or an underscore.
> (?!.{15}) # Doesn't contain 15 characters.
> /xs;
>
> It's easy to add more requirements.
At the risk of being thought of as "Not Fun", I want to point out that if
the original request for a regexp was intended for actual implementation,
something like Abigail's is most appropriate. Matt's list of requirements
basically constitutes a policy, and should he ever be *shudder* audited,
Abigial's pattern clearly maps to the policy. The fact that adding more
requirements is easy supports this.
--Jeremy
--
Jeremy Impson
Sr. Associate Network Engineer
Information Security
Lockheed Martin Systems Integration
email: [EMAIL PROTECTED]
phone: 607-751-5618
fax: 607-751-6025
