using regex for password validation

[Mats Wichmann]

On 12/23/20 10:03 AM, Sadaka Technology wrote:
> hello guys,
> 
> I have this pattern for password validation (regex):
> 
> I want these rules to be applied:
> 
> Minimum 8 characters.
> The alphabets must be between [a-z]
> At least one alphabet should be of Upper Case [A-Z]
> At least 1 number or digit between [0-9].
> At least 1 character from [ _ or @ or $ ].
> 
> and this pattern:
> 
> passwordpattern = "^(?=.[a-z])(?=.[A-Z])(?=.\d)(?=.[@$])[A-Za-z\d@$!%?&]{8,}.$"
> 
> my only issue is that I want to add the symbol () and symbol(.) in the pattern where only it accepts $ and @, I tried adding generally like [@_$] not working
> 

I'm not going to answer your question, don't have the brainpower at the 
moment to disentangle your regex.

Therein comes the source of the (unasked-for) comment: if looking at a 
regex gives you a headache - and worse, it doesn't work as you hope, you 
probably want to solve a problem another way.

If you're enforcing a password policy (and this isn't a homework 
question, where the rules conveniently don't change over time), I'd 
claim you're better off writing a readable routine that applies the 
policy in such a way that you can accommodate changes to the policy. 
What if someone decides that the non-alnum set can also include a comma 
or other characters? What if there's a different constraint applied to 
the first character of the password?  (both of those are moderately common).

Telling someone the password they tried to propose doesn't meet the 
policy isn't performance sensitive, since it is a human-interactive 
process, so it's okay to be a little slower and a lot clearer (that's 
not even a Python issue!)

If you're going to stick with a regex, run the completed regex through 
one of the online validators, and paste its analysis (they usually give 
you a breakdown of what each piece means) as a comment, so some future 
programmer has a hope...