using regex for password validation

dn PythonList at DancesWithMice.info
Wed Dec 23 20:54:26 EST 2020 

On 24/12/2020 12:25, Chris Angelico wrote:
> On Thu, Dec 24, 2020 at 9:42 AM dn via Python-list
> <python-list at python.org> wrote:
>> Hang-on though, look at how much 'work' is involved, compared with a
>> single line of RegEx! Why go to such bother? There's several reasons.
> 
> Good question! Look at this alternative:
> 
> def validate_password(attempt):
>      return len(attempt) >= 11
> 
> Wow! So much easier. Only one function needed AND it's more secure!

You and I have discussed such topics before @Chris. However, we both 
know that if the client specifies something (and we can't moderate 
such), we deliver accordingly - per Alfred Lord Tennyson.

What we don't know is the OP's wiggle-room with his/her 'client' - which 
may be zero if the 'client' is an assignment-grade!

However, the discussion 'beyond' the OP's immediate question is very 
necessary!


>> A frequent call is to increase the minimum-length of passwords. How
>> could we do this? Using RegEx, adjust the counter - but which part is
>> the 'counter'?
> 
> In my example here, it's pretty easy to find!

In a 'global definition' block or buried in the code-base?


>> If our ambitions include dreams of 'world domination', then we can
>> extend exactly the same idea of "rule" to the other three routines!
>> Whilst we 'start' with (say) the ASCII character definitions of a-z, we
>> will *be able* to extend into accented characters such as "ô"  - which
>> really would promote us to take a rôle on the world-stage.
>> (hah!)
> 
> Wow! It wins on that too! And even better - it counts Cyrillic letters
> as letters, it counts Greek letters as letters, and it counts Arabic
> letters as letters too! Isn't it so much easier than a regex?

- but wouldn't you agree that

     attempt == "x"*12

is no safer than "xxxx"? So, maybe a length-rule without any other 
consideration is 'weak-beer'?

(speaking of beer, and for the benefit of non-Australians, and people 
everywhere who did learn their abc-s, "xxxx" is how @Chris spells "beer"!)
NB probably not suitable for office-viewing: 
https://www.youtube.com/watch?v=mtwkDGlpWJk - cheers @Chris!

Speaking of Australian humor:-


>> If we're going to be nice to our users, from where do we express these
>> "rules"? If the rule is hard-coded, then the user-advice must also be
>> hard-coded - and what do we say about having 'the same code' in multiple
>> locations? (see also "DRY principle"). How could one state "the rules"
>> *once*, and in such a fashion that they can be used for UX output and a
>> RegEx?
> 
> Very very good point. I think "Passwords must be at least eleven
> characters long" is a problem, because you would need to *manually*
> translate the number "11" into the word "eleven". So the best way
> would be to use "Passwords must be at least {minlength} characters
> long" and then you know that it's going to correlate.

Now you're just being plain mischievous!


>> Second UX-consideration (and its a 'biggie'!): if a password 'fails',
>> how can we take the 'result' from a large and complex RegEx, and explain
>> to the user which [multiple] of the five requirements was/were not met?
>> A failure in the RegEx above tells the system not to proceed, but
>> doesn't tell the user is a letter is missing, a digit, ...
> 
> True, very true. Once again, a win for simplicity: with only one rule,
> it's easy to know which one you ran up against.

The 'one rule' I try to live-by, is not to attempt 'important stuff' in 
which I have insufficient knowledge*. Rather than strain my brain (and 
spend an inordinate amount of time) deciding if/how to authenticate and 
authorise users, and then coding same, I'd rather pass the task to a 
TechSec specialist!

* which *may* make me seem less like Dilbert, and more Wally
https://en.wikipedia.org/wiki/List_of_Dilbert_characters
-- 
Regards =dn

More information about the Python-list mailing list