REGEX for password validation

Question

• min 3 letters
• max 15
• characters A-Za-z0-9
• special charaters @#$%^&+=

This is what I have:

Regex.IsMatch(Password.Text, @"^[A-Za-z0-9@#$%^&+=]{3,15}$ ")

It always returns false.

Please help.

Answer 1

As mentioned, this is a very very bad idea. The much better approach would be to test the password strength of the entered password and set a score passwords have to beat.

There are algorithms to compute the strength of passwords. The following is taken from the Delphi Encryption Compendium by Hagen Reddmann (an thus in Pascal, but i guess this can be translated easily)

function PassphraseQuality(const Password: String): Extended; 
// returns computed Quality in range 0.0 to 1.0 
// source extracted from Delphi Encryption Compendium, DEC 

  function Entropy(P: PByteArray; L: Integer): Extended; 
  var 
    Freq: Extended; 
    I: Integer; 
    Accu: array[Byte] of LongWord; 
  begin 
    Result := 0.0; 
    if L <= 0 then Exit; 
    FillChar(Accu, SizeOf(Accu), 0); 
    for I := 0 to L-1 do Inc(Accu[P[I]]); 
    for I := 0 to 255 do 
      if Accu[I] <> 0 then 
      begin 
        Freq := Accu[I] / L; 
        Result := Result - Freq * (Ln(Freq) / Ln(2)); 
      end; 
  end; 

  function Differency: Extended; 
  var 
    S: String; 
    L,I: Integer; 
  begin 
    Result := 0.0; 
    L := Length(Password); 
    if L <= 1 then Exit; 
    SetLength(S, L-1); 
    for I := 2 to L do 
      Byte(S[I-1]) := Byte(Password[I-1]) - Byte(Password[I]); 
    Result := Entropy(Pointer(S), Length(S)); 
  end; 

  function KeyDiff: Extended; 
  const 
    Table = '^1234567890ß´qwertzuiopü+asdfghjklöä#<yxcvbnm,.-°!"§$%&/()=?`QWERTZUIOPÜ*ASDFGHJKLÖÄ''>YXCVBNM;:_'; 
  var 
    S: String; 
    L,I,J: Integer; 
  begin 
    Result := 0.0; 
    L := Length(Password); 
    if L <= 1 then Exit; 
    S := Password; 
    UniqueString(S); 
    for I := 1 to L do 
    begin 
      J := Pos(S[I], Table); 
      if J > 0 then S[I] := Char(J); 
    end; 
    for I := 2 to L do 
      Byte(S[I-1]) := Byte(S[I-1]) - Byte(S[I]); 
    Result := Entropy(Pointer(S), L-1); 
  end; 

const 
  GoodLength = 10.0; // good length of Passphrases 
var 
  L: Extended; 
begin 
  Result := Entropy(Pointer(Password), Length(Password)); 
  if Result <> 0 then 
  begin 
    Result := Result * (Ln(Length(Password)) / Ln(GoodLength)); 
    L := KeyDiff + Differency; 
    if L <> 0 then L := L / 64; 
    Result := Result * L; 
    if Result < 0 then Result := -Result; 
    if Result > 1 then Result := 1; 
  end; 
end;

Answer 2

Why on earth do you want to restrict possible passwords?!?

• Why forbid french and german characters (unicode in general)?
• Why limit passwords to 15 chars? A lot of people use whole passphrases.
• Why limit the special characters? Why do you rule out . and :?

Answer 3

Take out the space at the end of the regular expression string. Also: corrected probable typos.

Regex.IsMatch(Password.Text, @"^[A-Za-z0-9@#$%^&+=]{3,15}$")