[RESOLVED] Check Password Strength with Regular Expressions

rsmith

Hey all,
I'm needing to run a password that a user picks for their login information through a series of checks that include verifying length, the presence of a Capital letter, a number and a special character. I've checked length before but am having a hard time grasping regular expressions to do the other checking. Can someone give me some examples or help me out? Here is a toned down basic version of my script for checking the password is as follows:

//Get the password submitted
     $password = mysql_real_escape_string($_POST['password']);

//Check the length, if it meets the minimum length, continue checking strength
     if(strlen($password) < 8){
          echo "Password does not meet minimum length of 8 characters";
     }else{
          //regex expressions to check other requirements here
     }

TIA!

NogDog

You could do something like:

<?php

/**
 * @author Charles Reace
 * @copyright 2008
 */
function getPasswordStrength($password, $minLength, $maxLength)
{
   $strength = 0;
   $patterns = array(
      '/[a-z]/',
      '/[A-Z]/',
      '/[0-9]/',
      '/[' . preg_quote('-!@#$&#37;^&*()_=+[{]}') . ']/' // make sure "-" is first
   );
   $length = strlen($password);
   if($length >= $minLength && $length <= $maxLength)
   {
      $strength++;
   }
   else
   {
      return 0;
   }
   foreach($patterns as $regexp)
   {
      if(preg_match($regexp, $password))
      $strength++;
   }
   return $strength;
}

// TEST:
$test = array(
   'abcdabcdabcd',
   '12341234ABCD',
   'abcABC1234',
   'abcABC123!@#',
   'Aa1!',
   'abcABC123!@#abcABC123!@#',
);
echo "<pre>";
foreach($test as $pwd)
{
   echo $pwd . ' - ' . getPasswordStrength($pwd, 8, 16) . "\n";
}
echo "</pre>";
?>

Output:

abcdabcdabcd - 2
12341234ABCD - 3
abcABC1234 - 4
abcABC123!@# - 5
Aa1! - 0
abcABC123!@#abcABC123!@# - 0

laserlight

Incidentally, if you have the extension installed, you can use Cracklib.

rsmith

Thanks all for the help. NogDog, what you wrote works as tested but isn't exactly what I needed. I don't need to generate a score, what I need is to run the password through the array you have in your example and if all the patterns are met, then proceed with my database update, which I already have written. But if I do the foreach() as it is now, it will attempt to update the database each pass through the foreach() as it checks the patterns.

NogDog

Not sure I follow; which foreach are we talking about?

The idea was that you call the function with the supplied password and the min/max lengths. Then check the return value from the function. If it's high enough for your requirements (5 being the highest), then continue processing, else reject it with an error.

PS: Note that the function was quickly thrown together, and probably should include some validation that the value does not include any undesired characters, depending on your requirements. For instance, you may want to ensure that it includes no spaces/tabs/newlines or other non-printing characters.

nrg_alpha

Nog, I am rather curious about this line:

 '/[' . preg_quote('-!@#$&#37;^&*()_=+[{]}') . ']/' // make sure "-" is first

Forgive my ignorance.. but why must the dash character come first?

Cheers

NRG

NogDog

nrg_alpha;10881548 wrote:
Nog, I am rather curious about this line:
 '/[' . preg_quote('-!@#$%^&*()_=+[{]}') . ']/' // make sure "-" is first
Forgive my ignorance.. but why must the dash character come first?

Cheers

NRG

To make sure it's not interpreted as indicating a range of characters, since it is going to be within a set of character class brackets.

nrg_alpha

LOL Duh! as I slap my forehead
That makes sense! see? It pays to ask stupid questions.. I'm so accustomed to seeing ranges as such: a-z, A-Z, 0-9.. but never though of ranges.. as I am seeing a collection of special meta characters (well, not so special now since they are incased in square brackets).

Thanks again Nog.

Cheers,

NRG

rsmith

I got it working. I went ahead and put my processing outside my foreach that checks for the strength. If the strength is at least X then it continues going, if not, generates the error. All is working great. Thanks all!