Re: New to RegEx... need translation

The problem as stated:

die "weak password"
    if length($pw) < 8 or
       not /[A-Z]/ or
       not /[a-z]/ or
       not /[0-9]/ or
       not /[^a-z0-9]/i;
[download]

Remaining issue: there are many more weak passwords which this doesn't check. Check that the password isn't in a dictionary (see /usr/dict/words for a start), isn't the same as the username, isn't "xyzzy" or other legendary passwords, and many other commonly guessed or made-up entries.

Root issue: explaining the rules to the user. Don't expect people to remember purely randomized characters that mean nothing. Blindly explaining and requiring a policy of minimum length, mixed-case, digits and punctuation can actually undermine your password policy, because it just forces people to write it on a PostIt™ and stick it under their keyboard. Suggest they START by thinking of a phrase that they'll remember without writing down, and use the initials or the last letters of each word as the password. Then have them insert a digit or a bit of punctuation or a capital letter, as you suggested. Avoid the nonsensical line-noise passwords, because your users will show you how weak a meaningless password can be.

--
[ e d @ h a l l e y . c c ]

Comment on Re: New to RegEx... need translation Download Code

Replies are listed 'Best First'.
Re: Re: New to RegEx... need translation by halley (Prior) on Apr 17, 2003 at 19:44 UTC
`die "weak password" if length($pw) < 8 or $pw !~ /[A-Z]/ or $pw !~ /[a-z]/ or $pw !~ /[0-9]/ or $pw !~ /[^a-z0-9]/i;` [download] cough Ahem... -- `[ e d @ h a l l e y . c c ]`	[reply] [d/l]
Re: Re: Re: New to RegEx... need translation by Anonymous Monk on Apr 18, 2003 at 08:00 UTC
ehm don't want to start a "perl gulf war", but one could have considered: `$_ = $pw_candidate; die "weak password" if length < 8 and !/[A-Z]/ ...` [download] Murat	[reply] [d/l]