#!/usr/bin/perl -w

use strict;

while (<DATA>)
{
   chomp;
   print "\n$_\n";

   /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{6,9}$/ ?
      print "valid\n" :
         print "invalid (Input must have at least one lowercase-, " .
              "one uppercase-Char and one Number! (f.i.: \'12Three\')\
+n";

}
__DATA__
1245Za78
1245Za7b8
45a7b8
a78Z
12Three
kMdlOz
6KYX
diImMU1Y
ZNw4uWSht
jDqvSN
qVRR
le2WTQv
us1j3SerC
OZv0LtSJ
9qyscg
LbX7o74
80TeRHq
7YIiXnEV8
e1Yctl9
8iGoc
R87MeDCFz
ziTnlk
cziP
[download]

I wonder who has THE solution which combines shortness and elegance in a tremendous way

You do realise that it is not always possible to reconcile these two aims?

A single "one size fits all" test will not give you the chance of reporting why the password is no good. If this is not a problem, then my best shot looks like:

#! /usr/local/bin/perl -w

use strict;

while( <DATA> ) {
    chomp;
    my $ok = (
            length $_ >= 5
        and length $_ <=8
        and /\d/
        and /[A-Z]/
        and /[a-z]/
    );
    print sprintf('%-12s', $_), ($ok ? 'valid' : 'invalid '), "\n";
}
[download]

I would probably break it up into separate test as shown elsewhere in this thread. You might also want to avoid reinventing the wheel and look at Data::Password::BasicCheck. Also, given that most people never bother to change the password they are given, you should also investigate Crypt::GeneratePassword.

while (<DATA>)
{
    chomp;
    print "\n$_\n";
    if ( length() < 5 ) {
        print "too short\n"
    }
    elsif ( length() > 8 ) {
        print "too long\n"
    }
    elsif ( not /\d/ ) {
        print "need at least one digit\n"
    }
    elsif ( not /[a-z]/ ) {
        print "need at least one lowercase letter\n"
    }
    elsif ( not /[A-Z]/ ) {
        print "need at least one uppercase letter\n"
    }
}
[download]

Abigail

#!/usr/bin/perl -w

# vim: set tabstop=3

use strict;

while (<DATA>)
{
    chomp;
    print "$_ .. ";

    if (m/^((?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9]).*)$
          (??{ ! exists %{{qw! 5 0 6 0 7 0 8 0 !}}->{length($1)} })/x)
    {
        print "valid\n"
    } else {
        print "invalid\n"
    }
}


__DATA__
1245Za78
1245Za7b8
45a7b8
a78Z
12Three
kMdlOz
6KYX
diImMU1Y
ZNw4uWSht
jDqvSN
qVRR
le2WTQv
us1j3SerC
OZv0LtSJ
9qyscg
LbX7o74
80TeRHq
7YIiXnEV8
e1Yctl9
8iGoc
R87MeDCFz
ziTnlk
cziP
[download]

if ( $password eq '12Three' ) {
  warn "ALERT: unimaginative user detected, take evasive action";
}
[download]

sub valid{
  local $_ = shift;
  return /\d/ && /[a-z]/ && /[A-Z]/ && /^.{5,8}$/ 
}
[download]

If you require the passwords to be at least 5 characters wide, you have decreased the number of possible passwords by approx. 63**4 (almost 16 million), i.e. all paswords with 4 or less characters of the range a-z A-Z 0-9 and "empty".

Requiring at least one lower case character further reduces the password-space by 59% (37/63, i.e. none of A-Z 0-9 and "empty" are allowed in that position), id. for the required upper case character, and asking for at least one number finally lowers the total number of possible passwords by another 84% (53/63 - none of a-z A-Z and empty are allowed). In total the combination of these three conditions shrinks the number of allowed passwords to about one third of what was possible without these restrictions.

My calculations may be a bit off as I did not take into acount the position of the restricted characters, but by and large it will be OK.

The only good password is therefore one which is randomly generated.

"The only good password is therefore one which is randomly generated."

Such passwords are extremely hard to guess, but there's a weakness: Giving out random passwords is just asking for people to write those hard-to-remember passwords down on Post-it(TM) notes. If someone sneaks into the office and finds a few written down passwords, the need to guess is eliminated completely.

All too true, but you don't even need to look at your co-workers Post-It™ notes. Internet Explorer will remember your passwords for you! (and allow anyone in)

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Contrary to what many people believe, putting such (arbitrary) conditions on the format of passwords actually makes it easier to crack them.


I suppose technically you are reducing the keyspace an attacker would need to attack the gain all passwords. The goal of something like this though isn't to try and make individual passwords harder to crack, but to limit the amount of passwords and attacker can gain easily (He's not going to try the entire keyspace regardless, it's to big). You want to limit the effectiveness of dictionary attackers, where an attacker can gain 80% of your password list in half an hour because all your users use common words as their passwords.

Yes I understand that, but the artificial --IMHO-- restrictions do not guarantee that common words are excluded as probably most users will still use a common word, capitalize the first character and add a number at the end; or use their birthday or anything equally silly.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

From perlre

In addition, Perl defines the following: \w Match a "word" character (alphanumeric plus "_")

Well, isn't \w also locale aware?
Example: (Germany)


% perl -e 'use locale; $_=q{äöü}; print qq{Locale aware!\n} if /^\w+$/
+;'
[download]

Results in:
Locale aware!

Thus, \w is bad when you really mean /[A-Za-z0-9]/. On the other hand, using the latter character class instead of \w is usually more of a problem for most applications. The best example is, I daresay, entering my last name in some form on the web that does this: Müller ;-)

Steffen

I think it is also Unicode aware in 5.8+ so that introduces all sorts of variation - if Unicode is supported, \w usually refers to all alphanumberics - in fact you might see \w start to die out and things like unicode properties appear

$word = m/([\p{Letter}\p{Number}]+)/;
[download]

I think that is correct...

I know that in Java's regex package, \w == \A-Za-z0-9_\ only

I got most of this info from Friedl's Mastering Regular Expressions - if you dont own it - buy it and read it from chapters 1-7 - it is truely excellent, a standout book.

+++++++++++++++++
#!/usr/bin/perl
use warnings;use strict;use brain;

/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{5,8}$/
[download]