Solved

Script needed that checks password input for complexity

Posted on 2014-03-14
10
378 Views
Last Modified: 2014-03-15
Hi experts.

I'd like to provide a script to Windows end users (on win 8.1), that they use to set a password (no, not their logon password). The script should be able to revoke passwords that
-are shorter than 9 characters
-don't contain 4 of 4 of the following: ABC,abc,numbers and special chars.

Has anyone seen something like that before?
0
Comment
Question by:McKnife
  • 4
  • 3
  • 3
10 Comments
 
LVL 39

Accepted Solution

by:
footech earned 250 total points
ID: 39928808
This isn't at all polished, but I've seen a regex like below for this.
while ($true){(Read-Host "Enter password") -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.*\s).{9,}$" }

Open in new window


I've also seen the recommendation to check the password for each requirement separately, rather than just using one long regex pattern.  If you did that it would be easier to output a message telling the user what type of character is missing.

Would you want to limit what symbols (special chars) could be used?
0
 
LVL 53

Author Comment

by:McKnife
ID: 39928828
Hi footech and thanks for the effort.

I will put this on hold because I gladly found another way using the established password check that is performed by our AD extension Anixis PPE.

Will try it, though and report back soon.
0
 
LVL 53

Author Comment

by:McKnife
ID: 39928951
Works as expected!
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 250 total points
ID: 39930124
You can get a little bit more control using this:
"^(?=.*[0..9])(?=.*[a-z])(?=.*[A-Z])(?=.*[~!@#$%^&*]).{9,}$"

\d will match any digit, but from any alphabet. Not usually a problem, but it's a little bit faster and clearer to use [0..9]

\W will match any non word character (that's why you needed to negate the space characters afterwards) and this might cause problems with symbols inputted using ALT+0xxx combos. It's easier if you specify exactly what special characters you allow.

HTH,
Dan
0
 
LVL 53

Author Comment

by:McKnife
ID: 39930199
Appreciated.
Since we have found a way, it's not so important any more, so if anybody would like to add code, it would need to be verbose about why the check was negative, as mentioned by footech.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 39

Expert Comment

by:footech
ID: 39930212
\d will match any digit, but from any alphabet
Never heard the part about any alphabet before, and not even sure what that means!  Care to expand a little?
Slight correction, it would have to be [0-9] not [0..9] in a regex pattern.

You're correct, \W can be a bit broad, which is why I asked about limiting the possible symbols.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930220
This is what \d will match. See the picture, as I can't input Persian characters in E-E :)
Yeah, sorry about the [..]. I do it all the time, then wonder why it fails :)
\d matches
0
 
LVL 39

Expert Comment

by:footech
ID: 39930276
Thanks for explaining.  I hadn't considered that before.  Just a point of curiosity, but do you know if Persian characters are used by anyone anymore?  I know that the numerals 0-9 are of Arabic origin, and I thought that all countries had adopted them, even though I know some oriental countries still use their own numeral characters as well.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930333
I don't know anyone who uses anything other than Arabic numerals.

That being said, the regex engine will still look for those characters. Try using \d on 10000 expressions and then [0-9] and there will be a difference.
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39931325
While these solutions are good, I decided to use code that runs against AD. Inside AD, we already use Anixis PPE, a software that extends windows' password checking capabilities. Now we can do dictionary checks, keyboard pattern checks and everything. To use it, the idea was to utilize passwd.exe against some dummy domain account and only if this succeeds, let the password be used for the script (passwd.exe is a command line password changer utility which cannot be downloaded from its original location anymore - if you want it, comment on this thread and I'll mail it).
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now