Script needed that checks password input for complexity

Hi experts.

I'd like to provide a script to Windows end users (on win 8.1), that they use to set a password (no, not their logon password). The script should be able to revoke passwords that
-are shorter than 9 characters
-don't contain 4 of 4 of the following: ABC,abc,numbers and special chars.

Has anyone seen something like that before?
LVL 59
McKnifeAsked:
Who is Participating?
 
footechConnect With a Mentor Commented:
This isn't at all polished, but I've seen a regex like below for this.
while ($true){(Read-Host "Enter password") -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.*\s).{9,}$" }

Open in new window


I've also seen the recommendation to check the password for each requirement separately, rather than just using one long regex pattern.  If you did that it would be easier to output a message telling the user what type of character is missing.

Would you want to limit what symbols (special chars) could be used?
0
 
McKnifeAuthor Commented:
Hi footech and thanks for the effort.

I will put this on hold because I gladly found another way using the established password check that is performed by our AD extension Anixis PPE.

Will try it, though and report back soon.
0
 
McKnifeAuthor Commented:
Works as expected!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Dan CraciunConnect With a Mentor IT ConsultantCommented:
You can get a little bit more control using this:
"^(?=.*[0..9])(?=.*[a-z])(?=.*[A-Z])(?=.*[~!@#$%^&*]).{9,}$"

\d will match any digit, but from any alphabet. Not usually a problem, but it's a little bit faster and clearer to use [0..9]

\W will match any non word character (that's why you needed to negate the space characters afterwards) and this might cause problems with symbols inputted using ALT+0xxx combos. It's easier if you specify exactly what special characters you allow.

HTH,
Dan
0
 
McKnifeAuthor Commented:
Appreciated.
Since we have found a way, it's not so important any more, so if anybody would like to add code, it would need to be verbose about why the check was negative, as mentioned by footech.
0
 
footechCommented:
\d will match any digit, but from any alphabet
Never heard the part about any alphabet before, and not even sure what that means!  Care to expand a little?
Slight correction, it would have to be [0-9] not [0..9] in a regex pattern.

You're correct, \W can be a bit broad, which is why I asked about limiting the possible symbols.
0
 
Dan CraciunIT ConsultantCommented:
This is what \d will match. See the picture, as I can't input Persian characters in E-E :)
Yeah, sorry about the [..]. I do it all the time, then wonder why it fails :)
\d matches
0
 
footechCommented:
Thanks for explaining.  I hadn't considered that before.  Just a point of curiosity, but do you know if Persian characters are used by anyone anymore?  I know that the numerals 0-9 are of Arabic origin, and I thought that all countries had adopted them, even though I know some oriental countries still use their own numeral characters as well.
0
 
Dan CraciunIT ConsultantCommented:
I don't know anyone who uses anything other than Arabic numerals.

That being said, the regex engine will still look for those characters. Try using \d on 10000 expressions and then [0-9] and there will be a difference.
0
 
McKnifeAuthor Commented:
While these solutions are good, I decided to use code that runs against AD. Inside AD, we already use Anixis PPE, a software that extends windows' password checking capabilities. Now we can do dictionary checks, keyboard pattern checks and everything. To use it, the idea was to utilize passwd.exe against some dummy domain account and only if this succeeds, let the password be used for the script (passwd.exe is a command line password changer utility which cannot be downloaded from its original location anymore - if you want it, comment on this thread and I'll mail it).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.