[Resolved] Assistance with finding a Password Verification Function

TheDefender

Attention all RegExp gurus, I was wondering if any of you out there have a function handy you may have written that can be used to validate a password.

I want to use a similar convention as the folks like Microsoft where a user's password must contain the following:

1 Capital Letter
1 Lower Letter
1 Number
and must be between 6 and 12 characters long.
It can not contain any punctuation or symbols.

While I am humbly awaiting your responses (you all know I am terrible with Regexp), I will be looking through the manual to get an idea of how to go about this, because I am just not sure.

If any of you don't have a function snippet, or don't want to share your snippet, I would appreciate a gentle shove in the right direction as to what php functions I would need to use to build my own function.

I am leaning toward looping through a few preg_match functions, but don't know if this would be the best or most efficient method, since I am not good at all with regexp.

Thanks in advance!

LordShryku

Well, might not be the be all answer you want but I usually sepearte out this type of checking to give more detailed error messages, which you have all the tools you need with very little regexp...

echo checkpass($pass);

function checkpass($password) {
   if(!ctype_alnum($password)) 
      return "Your password can only contain numbers and letters";
   if(strlen($password) < 6 || strlen($password) > 12)
      return "Your password has to be between 6 and 12 characters";
   if(!preg_match("/[0-9]/", $password))
      return "Your password must contain a digit";
   if(!preg_match("/[A-Z]/", $password))
      return "Your password must contain a capital letter";
   if(!preg_match("/[a-z]/", $password))
      return "Your password must contain a lower case letter";

   return "Valid password";
}

I deal with some pretty stupid users though, so I'm just accustomed to getting into detail with my error messages :bemused:

Weedpacket

It would probably be more efficient to do the task in stages. In particular, checking the length before looking at the contents.

Then, trim($password,'A..Za..z0..9') should equal "" if upper/lower letters and digits are the only characters allowed.

After that, if you're talking PHP5, there's strpbrk, which might be usable. If not, then $password should be different from both strtolower($passwer) and strtoupper($password), and finally preg_match('/\d/',$password) should find a match.

I'm certain that it could all be done with a single preg_match(), but I'm almost as certain that it would be ugly and not as intuitive. Let's see:

/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])[a-zA-Z0-9]{6,12}$/

Okay, so maybe not that ugly. Haven't looked at performance.

PS: If you allow only 12-character passwords, and sharply-limited character sets, I don't like it 🙂

drawmack

Wouldn't it be more user friendly to compile all the error messages and then return the entire list?

<?php
echo checkpass($pass); 

function checkpass($password) { 
   $errors = '';
   if(!ctype_alnum($password))  

      $errors .= "Your password can only contain numbers and letters<br />"; 
   if(strlen($password) < 6 || strlen($password) > 12) 
      $errors .= "Your password has to be between 6 and 12 characters<br />"; 
   if(!preg_match("/[0-9]/", $password)) 
      $errors .= "Your password must contain a digit<br />"; 
   if(!preg_match("/[A-Z]/", $password)) 
      $errors .= "Your password must contain a capital letter<br />"; 
   if(!preg_match("/[a-z]/", $password)) 
      $errors .= "Your password must contain a lower case letter<br />"; 

   if($errors == '')
        $errors = 'Valid password';

   return $errors; 
}
?>

This way they can fix all the problems with their password in one try instead of in a bunch of tries.

Of course it may be better yet just to make a generic password error message and return the entire thing on any error.

TheDefender

Thanks drawmack, LS, and Weed. I will actually use portions of what all three of you posted, and test it out to build my function. I appreciate your assistance, as always! As soon as I test it out, and make sure it works for my purposes, I will be back to mark this thread resolved.

TheDefender

Thanks again guys. Works like a charm... I went along the lines of Weed's suggestion, because there is a whole separate page that explains the password requirements that is too much to put into an error message. It just returns a generic "Your password does not meet the criteria" message that is linked to the requirements and criteria page.

Weed, I agree; I am not too fond of the limits, but it's part of the client's requirements for the project, and not mine. I actually talked them into allowing 6 to 20 characters instead of 12, but can't get them to allow some punctuation marks... I will continue to work on them for that, but either way, it's working right now.

Thanks again for all of your help guys. I always appreciate it.

[edited]Oh yeah, the client wanted to make sure it doesn't start with a number too, so I just added a substr() to the check... The final looks like so:

if(!preg_match("/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])[a-zA-Z0-9]{6,20}$/", trim($_POST['SalesRep_Password'])) || is_numeric(trim(substr($_POST['SalesRep_Password'],0,1)))) {