SuperSetUserPassword pattern doesn't match description

Question

SuperSetUserPassword pattern doesn't match description

asafh-lb opened this issue 3 years ago · 7 comments

Valid passwords according to the description get rejected by the pattern.

Answer 1 · 2022-02-19T01:42:22.000Z

Hi, will you please provide your input password? The regex to validate password pattern is like ^(?=.[a-z])(?=.[A-Z])(?=.[@$!%?&\-])[A-Za-z\d@$!%*?&\-]{8,}$

Answer 2 · 2022-02-19T13:25:56.000Z

Hi, I don't recall what did my original attempt looked like but for now, I see a couple of ways the pattern is different from the description "Minimum of 8 characters, including 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (excluding / @ \" ').": 1. More strict regarding the special characters - (@$!%*?&-_) only and not things like #~<>+ etc 2. Does not actually require a number ("aaaaaaA!" works) From looking at the pattern now, I can only see it being more strict than described in regards to the special character set. I'm not sure what was the reasoning behind blocking some of the special characters, but if that was mostly a way to make the regex simpler I can suggest:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).{8,}$

To add the requirement of the number, and to make the special character more inclusive (any non-alphanumeric character) Thanks

…

On Sat, Feb 19, 2022 at 3:42 AM AaRon ***@***.***> wrote: Hi, will you please provide your input password? The regex to validate password pattern is like ^(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\- *])[A-Za-z\d@$!%*?&\-*]{8,}$ — Reply to this email directly, view it on GitHub <#30 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUKGQ5ZZK2OCI3HC4OCZGBDU33YQTANCNFSM5HWED6RA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.*** com>

Answer 3 · 2022-02-21T00:28:05.000Z

Thanks for your suggestion, we may consider to rules below:

password must contain 1 number (0-9)
password must contain 1 uppercase letters
password must contain 1 lowercase letters
password must contain 1 non-alpha numeric number
password is 8-16 characters with no space

and regex is like ^(?=.\d)(?=.[A-Z])(?=.[a-z])(?=.[^\w\d\s:])([^\s]){8,16}$

Answer 4 · 2022-02-24T00:23:04.000Z

new password regex update in official solution, kindly let me know your further feedback

Answer 5 · 2022-02-24T10:11:28.000Z

The markdown formatting altered your regex. What I assume was there:
^(?=.*\d)(?=.*[A-Z])(?=.*[a-z])(?=.*[^\w\d\s:])([^\s]){8,16}$

Looks pretty good with two caveats. For negated character set representing special characters, both underscore and colon are not considered (colon explicitly there, underscore due to \w). They would however be accepted in the general password.
I'm not sure what is the reasoning but if there's none I'd suggest to consider them as special characters and otherwise to state so in the rules' description.

Thank you for help.

Answer 6 · 2022-02-25T15:07:48.000Z

underscore and colon are removed from non-alpha numeric number list with regex ?=.[^\w\d\s:], so password 'Aa12345@', 'Aa12345' are accepted, while 'Aa12345_' and 'Aa12345:' not

Answer 7 · 2022-02-27T09:14:51.000Z

Right, what I meant to say that if those are not considered special characters by design I would note that in the description. "1 non-alpha numeric number excluding colon and underscore"