Solved

Script needed that checks password input for complexity

Posted on 2014-03-14
10
379 Views
Last Modified: 2014-03-15
Hi experts.

I'd like to provide a script to Windows end users (on win 8.1), that they use to set a password (no, not their logon password). The script should be able to revoke passwords that
-are shorter than 9 characters
-don't contain 4 of 4 of the following: ABC,abc,numbers and special chars.

Has anyone seen something like that before?
0
Comment
Question by:McKnife
  • 4
  • 3
  • 3
10 Comments
 
LVL 39

Accepted Solution

by:
footech earned 250 total points
ID: 39928808
This isn't at all polished, but I've seen a regex like below for this.
while ($true){(Read-Host "Enter password") -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.*\s).{9,}$" }

Open in new window


I've also seen the recommendation to check the password for each requirement separately, rather than just using one long regex pattern.  If you did that it would be easier to output a message telling the user what type of character is missing.

Would you want to limit what symbols (special chars) could be used?
0
 
LVL 53

Author Comment

by:McKnife
ID: 39928828
Hi footech and thanks for the effort.

I will put this on hold because I gladly found another way using the established password check that is performed by our AD extension Anixis PPE.

Will try it, though and report back soon.
0
 
LVL 53

Author Comment

by:McKnife
ID: 39928951
Works as expected!
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 250 total points
ID: 39930124
You can get a little bit more control using this:
"^(?=.*[0..9])(?=.*[a-z])(?=.*[A-Z])(?=.*[~!@#$%^&*]).{9,}$"

\d will match any digit, but from any alphabet. Not usually a problem, but it's a little bit faster and clearer to use [0..9]

\W will match any non word character (that's why you needed to negate the space characters afterwards) and this might cause problems with symbols inputted using ALT+0xxx combos. It's easier if you specify exactly what special characters you allow.

HTH,
Dan
0
 
LVL 53

Author Comment

by:McKnife
ID: 39930199
Appreciated.
Since we have found a way, it's not so important any more, so if anybody would like to add code, it would need to be verbose about why the check was negative, as mentioned by footech.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 39

Expert Comment

by:footech
ID: 39930212
\d will match any digit, but from any alphabet
Never heard the part about any alphabet before, and not even sure what that means!  Care to expand a little?
Slight correction, it would have to be [0-9] not [0..9] in a regex pattern.

You're correct, \W can be a bit broad, which is why I asked about limiting the possible symbols.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930220
This is what \d will match. See the picture, as I can't input Persian characters in E-E :)
Yeah, sorry about the [..]. I do it all the time, then wonder why it fails :)
\d matches
0
 
LVL 39

Expert Comment

by:footech
ID: 39930276
Thanks for explaining.  I hadn't considered that before.  Just a point of curiosity, but do you know if Persian characters are used by anyone anymore?  I know that the numerals 0-9 are of Arabic origin, and I thought that all countries had adopted them, even though I know some oriental countries still use their own numeral characters as well.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930333
I don't know anyone who uses anything other than Arabic numerals.

That being said, the regex engine will still look for those characters. Try using \d on 10000 expressions and then [0-9] and there will be a difference.
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39931325
While these solutions are good, I decided to use code that runs against AD. Inside AD, we already use Anixis PPE, a software that extends windows' password checking capabilities. Now we can do dictionary checks, keyboard pattern checks and everything. To use it, the idea was to utilize passwd.exe against some dummy domain account and only if this succeeds, let the password be used for the script (passwd.exe is a command line password changer utility which cannot be downloaded from its original location anymore - if you want it, comment on this thread and I'll mail it).
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
OfficeMate Freezes on login or does not load after login credentials are input.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now