cancel
Showing results for 
Search instead for 
Did you mean: 

Creating a REGEX password validator to force N out of X options be met.

UnboundID KevinL
0 Kudos

The built in password validator's allow for very flexible configuration of the password policies that can meet most requirements out of the box. 

 

Password requirements like a specific number of upper or lower characters or at least 1 upper or 1 lower or 1 special can be met by the normal character based password validator. 

 

In some cases though you may want to ensure that the password meets a minimum number of these options instead of just one of them or all of them. 

 

This is where the REGEX password validator provides the equivalent to a Swiss Army knife for password validation. With REGEX, what ever you can define in the expression can be used to match the password or reject the password.

 

Example:  Set up a character set to force 3 of 4 options (special character, uppercase, number, lowercase).

 

In this case we need to have the REGEX check for compliance of any three of these options.  This basically becomes an OR between matching each combination of three of these requirement's.

 

The REGEX expression for this requirement would be defined as:

 

^(?:(?!.*[<>])(?:(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[0-9])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[a-z])(?=.*[A-Z])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[0-9])(?=.*[A-Z]))).*$

** Lines have been wrapped for display purposes only. 
** You should review the list of special characters that you want to
allow in passwords and adjust as required.

 

Now this all looks like some foreign language to most people and it does require some knowledge as to how to write REGEX to understand the specifics.  This is where the website https://regex101.com/ becomes a very useful tool when trying to create these expressions as it will help you define the specific sections of the expression and test it as you build it out.  It also has some great assistance around how to write REGEX as well.  

 

The above pattern is basically broken down into sections in which you can test:

 

^(?:(?!.*[<>])(?:
This is the opening statement to basically allow a password that will match any one of the following lists.

(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])|
Match 1 lower, 1 upper and 1 number

(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[a-z])(?=.*[0-9])|
Match 1 special, 1 lower and 1 number

(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[a-z])(?=.*[A-Z])|
Match 1 special, 1 lower and 1 upper
 
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[0-9])(?=.*[A-Z])
Match 1 special, 1 number and 1 upper


)).*$
Closes out the expression.

 

To add the above configuration to the data store you would run the following command:

 

dsconfig create-password-validator \
--validator-name 3of4NumLowUpperSpecial \
--type regular-expression \
--set enabled:true \
--set 'match-pattern:^(?:(?!.*[<>])(?:(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[a-z])(?=.*[0-9])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[a-z])(?=.*[A-Z])|
(?=.*[~!\[@#$%^&*()_,|`\]\{+=?.\}\\\/<>-])(?=.*[0-9])(?=.*[A-Z]))).*$' \
--set match-behavior:require-match

** Note the REGEX expression has been wrapped for display purposes only. 
This portion of the command must all be together on one line.

 

 

Of course ensure that you write a simple test plan for testing passwords that meet all the criteria you have specified once you have configured this in the server.