« New Job, New Compute... | Main | [ANNOUNCE] Struts... »
20030404 Friday April 04, 2003

How do I implement password rules? Does anyone know of any open source packages or techniques for implementing password rules. For instance, I need to implement the following rules for password in my application: 

Passwords must be made up of at least three (3) of the four (4) following 
classes of characters: Lowercase letters, Uppercase letters, Numbers, Special 
Characters.

I can probably whip up some JavaScript for this, but I'd need server-side code to catch if JavaScript is disabled. I'm guessing this is not possible with regular expressions. Posted in Java at Apr 04 2003, 10:36:31 AM MST 7 Comments

Comments:

Yikes! Please, no client-side password rules. Ever wonder why Struts validator does not enforce validations client-side on password fields? Its a security risk to give your rules away like that - narrows down the search space for hack attempts. But, on the server-side, a custom Validator will do the trick if "mask" will not suffice.

Posted by Erik Hatcher on April 04, 2003 at 11:54 AM MST #

I agree with the security risk, but since passwords will only be able to be set by Administrators (after they've logged in, security is not much of a concern). Also, we'll have to display what the password rules are in order for a person (admin) to comply.

Posted by Matt Raible on April 04, 2003 at 12:22 PM MST #

you could do something like count =0; count += match(/.*[a-z].*[a-z].*[a-z].*/) ? 1 : 0; count += match(/.*[A-Z].*[A-Z].*[A-Z].*/) ? 1 : 0; count += match(/.*[0-9].*[0-9].*[0-9].*/) ? 1 : 0; count += match(/.*[special].*[special.*[special].*/) ? 1 : 0; result = count >= 3; don't know how to combine regexp to do the count?=3 part. Obviously special needs to change.

Posted by Anonymous on April 04, 2003 at 12:35 PM MST #

Why would Struts validator not work? .V

Posted by Vic on April 04, 2003 at 02:00 PM MST # 

boolean foundLower = false;
boolean foundUpper = false;
boolean foundDigit = false;
boolean foundSpecial = false;

for (int i=0;i<string.length();i++)
{
   char ch = string.charAt(i);
   if (Character.isLowerCase(ch))
      foundLower = true;
   if (Character.isUpperCase(ch))
      foundUpper = true;
   if (Character.isDigit(ch))
      foundDigit = true;
   if (isSpecial(ch))
      foundSpecial = true;
 
}

int count = 0;
if (foundLower) count++;
if (foundUpper) count++;
if (foundDigit) count++;
if (foundSpecial) count++;

return (count >= 3);

Posted by Dave on April 04, 2003 at 02:29 PM MST #

If you're going to use real modern (PCRE) regular expressions, use the readable forms. So instead of the regex example already given, use: <code> count =0; count += match(/[[:upper:]]/) ? 1 : 0; count += match(/[[:lower:]]/) ? 1 : 0; count += match(/[[:digit:]]/) ? 1 : 0; count += match(/[[:punct:]]/) ? 1 : 0; result = count >= 3; </code>

Posted by Sheldon Hearn on April 07, 2003 at 04:35 AM MDT #

Ugh, ignore that brainfart... JS regex is only based on PCRE. :-(

Posted by Sheldon Hearn on April 07, 2003 at 04:54 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed
Click me to subscribe
Matt Raible is a Web Architecture Consultant specializing in open source frameworks.
« May 2012
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

Recent Entries

Tag Cloud

abbie appfuse denver flex grails gwt hibernate jack java jsf linkedin maven myfaces rails roller skiing softwaresummit spring springmvc struts2 tapestry travel vacation webframeworks wicket