using regex for password validation

[Chris Angelico]

On Thu, Dec 24, 2020 at 12:56 PM dn via Python-list
<python-list at python.org> wrote:
>
> On 24/12/2020 12:25, Chris Angelico wrote:
> > On Thu, Dec 24, 2020 at 9:42 AM dn via Python-list
> > <python-list at python.org> wrote:
> >> Hang-on though, look at how much 'work' is involved, compared with a
> >> single line of RegEx! Why go to such bother? There's several reasons.
> >
> > Good question! Look at this alternative:
> >
> > def validate_password(attempt):
> >      return len(attempt) >= 11
> >
> > Wow! So much easier. Only one function needed AND it's more secure!
>
> You and I have discussed such topics before @Chris. However, we both
> know that if the client specifies something (and we can't moderate
> such), we deliver accordingly - per Alfred Lord Tennyson.
>
> What we don't know is the OP's wiggle-room with his/her 'client' - which
> may be zero if the 'client' is an assignment-grade!

The OP said:

> I want these rules to be applied:

That means one of two things. Either it's a homework assignment and
s/he is dishonestly pretending that it isn't one, or the OP invented
the rules. There's nothing about "my client asked me to guard with
these exact rules and I want to use a regex so I can have the exact
same validation done by the web browser before it gets sent to the
server". Don't assume justifications that aren't supported by
evidence.

> >> A frequent call is to increase the minimum-length of passwords. How
> >> could we do this? Using RegEx, adjust the counter - but which part is
> >> the 'counter'?
> >
> > In my example here, it's pretty easy to find!
>
> In a 'global definition' block or buried in the code-base?

Either way would work. Either way is easier than digging through a regex.

> >> If our ambitions include dreams of 'world domination', then we can
> >> extend exactly the same idea of "rule" to the other three routines!
> >> Whilst we 'start' with (say) the ASCII character definitions of a-z, we
> >> will *be able* to extend into accented characters such as "ô"  - which
> >> really would promote us to take a rôle on the world-stage.
> >> (hah!)
> >
> > Wow! It wins on that too! And even better - it counts Cyrillic letters
> > as letters, it counts Greek letters as letters, and it counts Arabic
> > letters as letters too! Isn't it so much easier than a regex?
>
> - but wouldn't you agree that
>
>      attempt == "x"*12
>
> is no safer than "xxxx"? So, maybe a length-rule without any other
> consideration is 'weak-beer'?

Would you say that "12345Aa$" is a weak password, despite fitting the
requirements? What if the password is the person's name? What if the
password hint is "the password is 'Sw at rdf1sh'"? It's not our job to
stop the user from creating a weak password - just to encourage the
use of better passwords.

A length rule on its own is sufficient to cover a lot of cases, and no
regex is sufficient to cover all cases.

> (speaking of beer, and for the benefit of non-Australians, and people
> everywhere who did learn their abc-s, "xxxx" is how @Chris spells "beer"!)
> NB probably not suitable for office-viewing:
> https://www.youtube.com/watch?v=mtwkDGlpWJk - cheers @Chris!

Actually I don't, that's a myth :)

ChrisA