Good Regular Expression to Enforce Password Complexity in ASP.NET Applications

In Anil John's latest post, he mentions a good regular expression to enforce password complexity in your applications:

^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

The regular expression enforces the following rules:

• Must be at least 10 characters
• Must contain at least one one lower case letter, one upper case letter, one digit and one special character
• Valid special characters (which are configurable) are -   @#$%^&+=

Good stuff, Anil!

I am a firm believer in good logon security, password complexity and hashing, logging IP addresses, thresholds for attempted logons, and regular dormant account reviews.

posted on Saturday, September 25, 2004 6:16 PM