Matt RaibleMatt Raible is a Java Champion and Developer Advocate at Okta.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

How do I implement password rules?

Does anyone know of any open source packages or techniques for implementing password rules. For instance, I need to implement the following rules for password in my application:

Passwords must be made up of at least three (3) of the four (4) following 
classes of characters: Lowercase letters, Uppercase letters, Numbers, Special 

I can probably whip up some JavaScript for this, but I'd need server-side code to catch if JavaScript is disabled. I'm guessing this is not possible with regular expressions.

Posted in Java at Apr 04 2003, 10:36:31 AM MST 7 Comments

Yikes! Please, no client-side password rules. Ever wonder why Struts validator does not enforce validations client-side on password fields? Its a security risk to give your rules away like that - narrows down the search space for hack attempts. But, on the server-side, a custom Validator will do the trick if "mask" will not suffice.

Posted by Erik Hatcher on April 04, 2003 at 11:54 AM MST #

I agree with the security risk, but since passwords will only be able to be set by Administrators (after they've logged in, security is not much of a concern). Also, we'll have to display what the password rules are in order for a person (admin) to comply.

Posted by Matt Raible on April 04, 2003 at 12:22 PM MST #

you could do something like count =0; count += match(/.*[a-z].*[a-z].*[a-z].*/) ? 1 : 0; count += match(/.*[A-Z].*[A-Z].*[A-Z].*/) ? 1 : 0; count += match(/.*[0-9].*[0-9].*[0-9].*/) ? 1 : 0; count += match(/.*[special].*[special.*[special].*/) ? 1 : 0; result = count >= 3; don't know how to combine regexp to do the count?=3 part. Obviously special needs to change.

Posted by Anonymous on April 04, 2003 at 12:35 PM MST #

Why would Struts validator not work? .V

Posted by Vic on April 04, 2003 at 02:00 PM MST #

boolean foundLower = false;
boolean foundUpper = false;
boolean foundDigit = false;
boolean foundSpecial = false;

for (int i=0;i<string.length();i++)
   char ch = string.charAt(i);
   if (Character.isLowerCase(ch))
      foundLower = true;
   if (Character.isUpperCase(ch))
      foundUpper = true;
   if (Character.isDigit(ch))
      foundDigit = true;
   if (isSpecial(ch))
      foundSpecial = true;

int count = 0;
if (foundLower) count++;
if (foundUpper) count++;
if (foundDigit) count++;
if (foundSpecial) count++;

return (count >= 3);

Posted by Dave on April 04, 2003 at 02:29 PM MST #

If you're going to use real modern (PCRE) regular expressions, use the readable forms. So instead of the regex example already given, use: <code> count =0; count += match(/[[:upper:]]/) ? 1 : 0; count += match(/[[:lower:]]/) ? 1 : 0; count += match(/[[:digit:]]/) ? 1 : 0; count += match(/[[:punct:]]/) ? 1 : 0; result = count >= 3; </code>

Posted by Sheldon Hearn on April 07, 2003 at 04:35 AM MDT #

Ugh, ignore that brainfart... JS regex is only based on PCRE. :-(

Posted by Sheldon Hearn on April 07, 2003 at 04:54 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed