Solved

Script needed that checks password input for complexity

Posted on 2014-03-14
10
381 Views
Last Modified: 2014-03-15
Hi experts.

I'd like to provide a script to Windows end users (on win 8.1), that they use to set a password (no, not their logon password). The script should be able to revoke passwords that
-are shorter than 9 characters
-don't contain 4 of 4 of the following: ABC,abc,numbers and special chars.

Has anyone seen something like that before?
0
Comment
Question by:McKnife
  • 4
  • 3
  • 3
10 Comments
 
LVL 39

Accepted Solution

by:
footech earned 250 total points
ID: 39928808
This isn't at all polished, but I've seen a regex like below for this.
while ($true){(Read-Host "Enter password") -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.*\s).{9,}$" }

Open in new window


I've also seen the recommendation to check the password for each requirement separately, rather than just using one long regex pattern.  If you did that it would be easier to output a message telling the user what type of character is missing.

Would you want to limit what symbols (special chars) could be used?
0
 
LVL 54

Author Comment

by:McKnife
ID: 39928828
Hi footech and thanks for the effort.

I will put this on hold because I gladly found another way using the established password check that is performed by our AD extension Anixis PPE.

Will try it, though and report back soon.
0
 
LVL 54

Author Comment

by:McKnife
ID: 39928951
Works as expected!
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 250 total points
ID: 39930124
You can get a little bit more control using this:
"^(?=.*[0..9])(?=.*[a-z])(?=.*[A-Z])(?=.*[~!@#$%^&*]).{9,}$"

\d will match any digit, but from any alphabet. Not usually a problem, but it's a little bit faster and clearer to use [0..9]

\W will match any non word character (that's why you needed to negate the space characters afterwards) and this might cause problems with symbols inputted using ALT+0xxx combos. It's easier if you specify exactly what special characters you allow.

HTH,
Dan
0
 
LVL 54

Author Comment

by:McKnife
ID: 39930199
Appreciated.
Since we have found a way, it's not so important any more, so if anybody would like to add code, it would need to be verbose about why the check was negative, as mentioned by footech.
0
 
LVL 39

Expert Comment

by:footech
ID: 39930212
\d will match any digit, but from any alphabet
Never heard the part about any alphabet before, and not even sure what that means!  Care to expand a little?
Slight correction, it would have to be [0-9] not [0..9] in a regex pattern.

You're correct, \W can be a bit broad, which is why I asked about limiting the possible symbols.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930220
This is what \d will match. See the picture, as I can't input Persian characters in E-E :)
Yeah, sorry about the [..]. I do it all the time, then wonder why it fails :)
\d matches
0
 
LVL 39

Expert Comment

by:footech
ID: 39930276
Thanks for explaining.  I hadn't considered that before.  Just a point of curiosity, but do you know if Persian characters are used by anyone anymore?  I know that the numerals 0-9 are of Arabic origin, and I thought that all countries had adopted them, even though I know some oriental countries still use their own numeral characters as well.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930333
I don't know anyone who uses anything other than Arabic numerals.

That being said, the regex engine will still look for those characters. Try using \d on 10000 expressions and then [0-9] and there will be a difference.
0
 
LVL 54

Author Closing Comment

by:McKnife
ID: 39931325
While these solutions are good, I decided to use code that runs against AD. Inside AD, we already use Anixis PPE, a software that extends windows' password checking capabilities. Now we can do dictionary checks, keyboard pattern checks and everything. To use it, the idea was to utilize passwd.exe against some dummy domain account and only if this succeeds, let the password be used for the script (passwd.exe is a command line password changer utility which cannot be downloaded from its original location anymore - if you want it, comment on this thread and I'll mail it).
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question