Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters
Minimum eight characters, at least one letter and one number:
"^(?=.*[A-Za-z])(?=.*d)[A-Za-zd]{8,}$"
Minimum eight characters, at least one letter, one number and one special character:
"^(?=.*[A-Za-z])(?=.*d)(?=.*[@$!%*#?&])[A-Za-zd@$!%*#?&]{8,}$"
Minimum eight characters, at least one uppercase letter, one lowercase letter and one number:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*d)[a-zA-Zd]{8,}$"
Minimum eight characters, at least one uppercase letter, one lowercase letter, one number and one special character:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*d)(?=.*[@$!%*?&])[A-Za-zd@$!%*?&]{8,}$"
Minimum eight and maximum 10 characters, at least one uppercase letter, one lowercase letter, one number and one special character:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*d)(?=.*[@$!%*?&])[A-Za-zd@$!%*?&]{8,10}$"
Password Special Characters
The same list as string (between double quotes): " !"#$%&'()*+,-./:;<=>?@[]^_`{|}~"
Various operating systems and applications may apply limitations to this set:
可用的筛选密码复杂度的正则
/^(?=.*[a-z])(?=.*[A-Z])(?=.*d)(?=.*[ !"#$%&'()*+,-./:;<=>?@[]^_`{|}~])[A-Za-zd !"#$%&'()*+,-./:;<=>?@[]^_`{|}~]{8,25}$/
Example:
/(?=.[A-Z])(?=.[a-z])(?=.*[0-9])[a-zA-Z0-9]{8,15}/
密码长度限制
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
Implement Proper Password Strength Controls
A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password:
-
Password Length
- Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).
- Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. It is important to set a maximum password length to prevent long password Denial of Service attacks.
-
Some password hashes such as Bcrypt truncate the input, so a shorter maximum length may be required, as discussed in the Password Storage Cheat Sheet.
When selecting a maximum password length, consider whether the hashing algorithm to be used has any limitations because some have a maximum password length.
-
Do not truncate passwords. Make sure that every character the user types in is actually included in the password.
-
Allow usage of all characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted.
-
Ensure credential rotation when a password leak, or at the time of compromise identification.
-
Include password strength meter to help users create a more complex password and block common and previously breached passwords
- zxcvbn library can be used for this purpose. (Note that this library is no longer maintained)
- Pwned Passwords is a service where passwords can be checked against previously breached passwords. You can host it yourself or use API.
Long password denial of service
By sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
This vulnerability was detected by sending passwords with various lengths and comparing the measured response times. Consult details for more information.
Remediation
The password hashing implementation must be fixed to limit the maximum length of accepted passwords.