You can, but why? I assume you're vetting potential passwords. Password policies have a way of changing (usually to add new restrictions). Your code will be more maintainable if you have one regex per restriction. Then, when the higher-ups add "passwords can't contain repeated patterns", changing the code will be easier.

An excellent point, dws, and one I will impliment. And good guess on the need/purpose...
_____________________________________________________
mojobozo
word (wûrd)
interj. Slang. Used to express approval or an affirmative response to
something. Sometimes used with up. Source

First off, reading through perlre would be a good idea. It will introduce you to the regex world. Can someone help me with pointing to the excellent regex tutorial that is lying around on this site somewhere? I looked at Tutorials and was disappointed to not see it listed there... Anyhow, looking at perlre teach you a lot, so I suggest you start there. :)

Once you have searched through the documentation a little bit, you should post some attempts at doing this yourself. Try just putting one restriction per regex. If you do this, I'm certain we will help you improve upon it if possible. Good luck :)

If the above content is missing any vital points or you feel that any of the information is misleading, incorrect or irrelevant, please feel free to downvote the post. At the same time, please reply to this node or /msg me to inform me as to what is wrong with the post, so that I may update the node to the best of my ability.

The problem as stated:

die "weak password"
    if length($pw) < 8 or
       not /[A-Z]/ or
       not /[a-z]/ or
       not /[0-9]/ or
       not /[^a-z0-9]/i;
[download]

Remaining issue: there are many more weak passwords which this doesn't check. Check that the password isn't in a dictionary (see /usr/dict/words for a start), isn't the same as the username, isn't "xyzzy" or other legendary passwords, and many other commonly guessed or made-up entries.

Root issue: explaining the rules to the user. Don't expect people to remember purely randomized characters that mean nothing. Blindly explaining and requiring a policy of minimum length, mixed-case, digits and punctuation can actually undermine your password policy, because it just forces people to write it on a PostIt™ and stick it under their keyboard. Suggest they START by thinking of a phrase that they'll remember without writing down, and use the initials or the last letters of each word as the password. Then have them insert a digit or a bit of punctuation or a capital letter, as you suggested. Avoid the nonsensical line-noise passwords, because your users will show you how weak a meaningless password can be.

--
[ e d @ h a l l e y . c c ]

die "weak password"
    if length($pw) < 8 or
       $pw !~ /[A-Z]/ or
       $pw !~ /[a-z]/ or
       $pw !~ /[0-9]/ or
       $pw !~ /[^a-z0-9]/i;
[download]

*cough* Ahem...

--
[ e d @ h a l l e y . c c ]

*ehm* don't want to start a "perl gulf war", but one could have considered:

 $_ = $pw_candidate;

 die "weak password" if length < 8 and !/[A-Z]/ ...
[download]

Murat

In several regexps it could be

if (/[A-Z]/ and /[a-z]/ and /[0-9]/ and /[;,.#!\$]/) {
 ...
[download]

if (/(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[;,.#!\$])/) {
 ...
[download]

Update: Another option without using the positive look-aheads would be:

if (not /^[^A-Z]*$|^[^a-z]*$|^[^0-9]*$|^[^;,.#!\$]*$/) { ... [download] If you want to know how did I get to that code: /[A-Z]/ and /[a-z]/ and /[0-9]/ and /[;,.#!\$]/ is the same as ( using (A and B) == not (not A or not B) ) not( !/[A-Z]/ or !/[a-z]/ or !/[0-9]/ or !/[;,.#!\$]/ is the same as not( /^[^A-Z]*$/ or /^[^a-z]*$/ or /^[^0-9]*$/ or /^[^;,.#!\$]*$/) is the same as not( /^[^A-Z]*$|^[^a-z]*$|^[^0-9]*$|^[^;,.#!\$]*$/) [download] You can read the regexp as "the string is either all non-capitals or all non-lowercase leters or non-digits or non-specials".

This is so ugly it's almost beautiful. On the other hand I would use neither in production code. It's better to stick to multiple regexps as dws suggests.

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
   -- Rick Osborne

Edit by castaway: Closed small tag in signature

Can I check against all the criteria in one RegEx?
Yes, very easily

Regardless of the answer to this, (and more importantly) can someone help me with the creation of the RegEx(s) needed to check the string?
Yes, we can help. Why don't you take a look at Perl RE Quick Start and Perl RE Tutorial. Then you can post some code when you get stuck.

grep

Mynd you, mønk bites Kan be pretti nasti...

Hissss! bad, bad nassty VBsssscript! We hates you, we does!

LAI

__END__

VBScript does have a regexp object. It's pretty weak, but it should be enough for this (not using my one-regexp solutions though ;-)

This is how it could be in VB. VBScript will be almost the same. I'll black this out so that the innocent Perl guys are not affected:

Private Function IsWeak(str As String) As Boolean Dim re As VBScript_RegExp_55.RegExp Set re = New VBScript_RegExp_55.RegExp IsWeak = True re.Pattern = "[a-z]" If Not re.Test(str) Then Exit Function re.Pattern = "[A-Z]" If Not re.Test(str) Then Exit Function re.Pattern = "[0-9]" If Not re.Test(str) Then Exit Function re.Pattern = "[;,.#!\$]" If Not re.Test(str) Then Exit Function IsWeak = False End Function [download]

Bleargh ......o...o.oo......oo.....oo...oooo..o..o.......

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
   -- Rick Osborne

Edit by castaway: Closed small tag in signature

NO!

NO! Take it away! It burns ussss! Oh, How it burnssss!

Okay, I'll stop now :o)

LAI

__END__