using regex for password validation

Chris Angelico rosuav at gmail.com
Wed Dec 23 18:25:27 EST 2020 

On Thu, Dec 24, 2020 at 9:42 AM dn via Python-list
<python-list at python.org> wrote:
> Hang-on though, look at how much 'work' is involved, compared with a
> single line of RegEx! Why go to such bother? There's several reasons.

Good question! Look at this alternative:

def validate_password(attempt):
    return len(attempt) >= 11

Wow! So much easier. Only one function needed AND it's more secure!

> A frequent call is to increase the minimum-length of passwords. How
> could we do this? Using RegEx, adjust the counter - but which part is
> the 'counter'?

In my example here, it's pretty easy to find!

> If our ambitions include dreams of 'world domination', then we can
> extend exactly the same idea of "rule" to the other three routines!
> Whilst we 'start' with (say) the ASCII character definitions of a-z, we
> will *be able* to extend into accented characters such as "ô"  - which
> really would promote us to take a rôle on the world-stage.
> (hah!)

Wow! It wins on that too! And even better - it counts Cyrillic letters
as letters, it counts Greek letters as letters, and it counts Arabic
letters as letters too! Isn't it so much easier than a regex?

> If we're going to be nice to our users, from where do we express these
> "rules"? If the rule is hard-coded, then the user-advice must also be
> hard-coded - and what do we say about having 'the same code' in multiple
> locations? (see also "DRY principle"). How could one state "the rules"
> *once*, and in such a fashion that they can be used for UX output and a
> RegEx?

Very very good point. I think "Passwords must be at least eleven
characters long" is a problem, because you would need to *manually*
translate the number "11" into the word "eleven". So the best way
would be to use "Passwords must be at least {minlength} characters
long" and then you know that it's going to correlate.

> Second UX-consideration (and its a 'biggie'!): if a password 'fails',
> how can we take the 'result' from a large and complex RegEx, and explain
> to the user which [multiple] of the five requirements was/were not met?
> A failure in the RegEx above tells the system not to proceed, but
> doesn't tell the user is a letter is missing, a digit, ...
>

True, very true. Once again, a win for simplicity: with only one rule,
it's easy to know which one you ran up against.

ChrisA

More information about the Python-list mailing list