Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Regex for default AD policy?

Reply
Thread Tools

Regex for default AD policy?

 
 
Michael D'Angelo
Guest
Posts: n/a
 
      07-24-2006
I'm not too familiar with writing regexes. Does anyone have a regex handy
that mirrors the default complexity requirements for AD. I know there are a
few additional reasons a password change could fail, but I'm hoping to at
least save the trouble of trying to change the password for some of the
time. (This is for an ASP.NET site using a modified AD MembershipProvider).

The requirements MS describes are:
The password contains characters from at least three of the following five
categories:
. English uppercase characters (A - Z)

. English lowercase characters (a - z)

. Base 10 digits (0 - 9)

. Non-alphanumeric (For example: !, $, #, or %)

. Unicode characters



I could probably write a regex to require any particular one, but I don't
know how to do the "at least three of the following five categories"


 
Reply With Quote
 
 
 
 
Michael D'Angelo
Guest
Posts: n/a
 
      07-27-2006
Well I came up with the following which seems to do it (minus unicode
characters.) I'm not too happy with it given I had to account for all 24
different possible 3-way combination of the 4 categories.

..*(([a-z]+)([A-Z]+)([0-9]+)|([a-z]+)([0-9]+)([A-Z]+)|([a-z]+)([A-Z]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([A-Z]+)|([a-z]+)([0-9]+)([^A-Za-z0-9]+)|([a-z]+)([^A-Za-z0-9]+)([0-9]+)|([A-Z]+)([a-z]+)([0-9]+)|([A-Z]+)([0-9]+)([a-z]+)|([A-Z]+)([a-z]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([a-z]+)|([A-Z]+)([0-9]+)([^A-Za-z0-9]+)|([A-Z]+)([^A-Za-z0-9]+)([0-9]+)|([0-9]+)([A-Z]+)([a-z]+)|([0-9]+)([a-z]+)([A-Z]+)|([0-9]+)([A-Z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([A-Z]+)|([0-9]+)([a-z]+)([^A-Za-z0-9]+)|([0-9]+)([^A-Za-z0-9]+)([a-z]+)|([^A-Za-z0-9]+)([A-Z]+)([0-9]+)|([^A-Za-z0-9]+)([0-9]+)([A-Z]+)|([^A-Za-z0-9]+)([a-z]+)([A-Z]+)|([^A-Za-z0-9]+)([A-Z]+)([a-z]+)|([^A-Za-z0-9]+)([0-9]+)([a-z]+)|([^A-Za-z0-9]+)([a-z]+)([0-9]+)).*

Only thing missing is requiring a minimum length, but I don't see how one
could do that after matching.

"Michael D'Angelo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm not too familiar with writing regexes. Does anyone have a regex handy
> that mirrors the default complexity requirements for AD. I know there are
> a few additional reasons a password change could fail, but I'm hoping to
> at least save the trouble of trying to change the password for some of the
> time. (This is for an ASP.NET site using a modified AD
> MembershipProvider).
>
> The requirements MS describes are:
> The password contains characters from at least three of the following five
> categories:
> . English uppercase characters (A - Z)
>
> . English lowercase characters (a - z)
>
> . Base 10 digits (0 - 9)
>
> . Non-alphanumeric (For example: !, $, #, or %)
>
> . Unicode characters
>
>
>
> I could probably write a regex to require any particular one, but I don't
> know how to do the "at least three of the following five categories"
>



 
Reply With Quote
 
 
 
 
Michael D'Angelo
Guest
Posts: n/a
 
      07-28-2006
Here is a much more reasonable one. Found a sample which helped. Matches
each of the 4 possible combinations (instead of 24 permutations) of 3 out of
the 4 categories.

^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$


 
Reply With Quote
 
Michael D'Angelo
Guest
Posts: n/a
 
      07-28-2006

"Michael D'Angelo" <(E-Mail Removed)> wrote in message
news:OS$(E-Mail Removed)...
> Here is a much more reasonable one. Found a sample which helped. Matches
> each of the 4 possible combinations (instead of 24 permutations) of 3 out
> of the 4 categories.
>
> ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
>
>


Hmmm, this seems to work with the .net regular expressions, but does not
work with the ones built into IE.


 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      07-28-2006
The javascript regex implementation probably doesn't support positive
lookahead (?=). That's just a guess. The .NET Regex system is very
powerful by comparison and supports a lot of advanced features such as look
ahead and look behind and atomic grouping.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <(E-Mail Removed)> wrote in message
news:O54$(E-Mail Removed)...
>
> "Michael D'Angelo" <(E-Mail Removed)> wrote in message
> news:OS$(E-Mail Removed)...
>> Here is a much more reasonable one. Found a sample which helped.
>> Matches each of the 4 possible combinations (instead of 24 permutations)
>> of 3 out of the 4 categories.
>>
>> ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
>>
>>

>
> Hmmm, this seems to work with the .net regular expressions, but does not
> work with the ones built into IE.
>



 
Reply With Quote
 
Michael D'Angelo
Guest
Posts: n/a
 
      07-28-2006
After additional searching, turns out that although it does support
lookahead, it doesn't quite work the way it should:
http://regexadvice.com/blogs/mash/ar...10/05/320.aspx

After some more searching I came across this pattern which does the job:
http://www.regexlib.com/REDetails.aspx?regexp_id=887

The only change compared with mine is changing .{8,} at the end to .*, and
adding another lookahead to enforce the length. A clever workaround for the
bug!

Hopefully this saves someone else from the hair-pulling I went through

"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:%(E-Mail Removed)...
> The javascript regex implementation probably doesn't support positive
> lookahead (?=). That's just a guess. The .NET Regex system is very
> powerful by comparison and supports a lot of advanced features such as
> look ahead and look behind and atomic grouping.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Michael D'Angelo" <(E-Mail Removed)> wrote in message
> news:O54$(E-Mail Removed)...
>>
>> "Michael D'Angelo" <(E-Mail Removed)> wrote in message
>> news:OS$(E-Mail Removed)...
>>> Here is a much more reasonable one. Found a sample which helped.
>>> Matches each of the 4 possible combinations (instead of 24 permutations)
>>> of 3 out of the 4 categories.
>>>
>>> ^(?=.*[A-Z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[0-9])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9]).{8,}$|^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$
>>>
>>>

>>
>> Hmmm, this seems to work with the .net regular expressions, but does not
>> work with the ones built into IE.
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How make regex that means "contains regex#1 but NOT regex#2" ?? seberino@spawar.navy.mil Python 3 07-01-2008 03:06 PM
String Pattern Matching: regex and Python regex documentation Xah Lee Java 1 09-22-2006 07:11 PM
Is ASP Validator Regex Engine Same As VS2003 Find Regex Engine? =?Utf-8?B?SmViQnVzaGVsbA==?= ASP .Net 2 10-22-2005 02:43 PM
Java regex imposture re: Perl regex compatibility a_c_Attlee@yahoo.com Java 2 05-06-2005 12:16 AM
perl regex to java regex Rick Venter Java 5 11-06-2003 10:55 AM



Advertisments