Solved

Script needed that checks password input for complexity

Posted on 2014-03-14
10
389 Views
Last Modified: 2014-03-15
Hi experts.

I'd like to provide a script to Windows end users (on win 8.1), that they use to set a password (no, not their logon password). The script should be able to revoke passwords that
-are shorter than 9 characters
-don't contain 4 of 4 of the following: ABC,abc,numbers and special chars.

Has anyone seen something like that before?
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 40

Accepted Solution

by:
footech earned 250 total points
ID: 39928808
This isn't at all polished, but I've seen a regex like below for this.
while ($true){(Read-Host "Enter password") -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.*\s).{9,}$" }

Open in new window


I've also seen the recommendation to check the password for each requirement separately, rather than just using one long regex pattern.  If you did that it would be easier to output a message telling the user what type of character is missing.

Would you want to limit what symbols (special chars) could be used?
0
 
LVL 54

Author Comment

by:McKnife
ID: 39928828
Hi footech and thanks for the effort.

I will put this on hold because I gladly found another way using the established password check that is performed by our AD extension Anixis PPE.

Will try it, though and report back soon.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39928951
Works as expected!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Assisted Solution

by:Dan Craciun
Dan Craciun earned 250 total points
ID: 39930124
You can get a little bit more control using this:
"^(?=.*[0..9])(?=.*[a-z])(?=.*[A-Z])(?=.*[~!@#$%^&*]).{9,}$"

\d will match any digit, but from any alphabet. Not usually a problem, but it's a little bit faster and clearer to use [0..9]

\W will match any non word character (that's why you needed to negate the space characters afterwards) and this might cause problems with symbols inputted using ALT+0xxx combos. It's easier if you specify exactly what special characters you allow.

HTH,
Dan
0
 
LVL 54

Author Comment

by:McKnife
ID: 39930199
Appreciated.
Since we have found a way, it's not so important any more, so if anybody would like to add code, it would need to be verbose about why the check was negative, as mentioned by footech.
0
 
LVL 40

Expert Comment

by:footech
ID: 39930212
\d will match any digit, but from any alphabet
Never heard the part about any alphabet before, and not even sure what that means!  Care to expand a little?
Slight correction, it would have to be [0-9] not [0..9] in a regex pattern.

You're correct, \W can be a bit broad, which is why I asked about limiting the possible symbols.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39930220
This is what \d will match. See the picture, as I can't input Persian characters in E-E :)
Yeah, sorry about the [..]. I do it all the time, then wonder why it fails :)
\d matches
0
 
LVL 40

Expert Comment

by:footech
ID: 39930276
Thanks for explaining.  I hadn't considered that before.  Just a point of curiosity, but do you know if Persian characters are used by anyone anymore?  I know that the numerals 0-9 are of Arabic origin, and I thought that all countries had adopted them, even though I know some oriental countries still use their own numeral characters as well.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39930333
I don't know anyone who uses anything other than Arabic numerals.

That being said, the regex engine will still look for those characters. Try using \d on 10000 expressions and then [0-9] and there will be a difference.
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 39931325
While these solutions are good, I decided to use code that runs against AD. Inside AD, we already use Anixis PPE, a software that extends windows' password checking capabilities. Now we can do dictionary checks, keyboard pattern checks and everything. To use it, the idea was to utilize passwd.exe against some dummy domain account and only if this succeeds, let the password be used for the script (passwd.exe is a command line password changer utility which cannot be downloaded from its original location anymore - if you want it, comment on this thread and I'll mail it).
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question