Password must meet complexity requirements regex - Windows policy
In this blog post, I discuss the 'Password must meet complexity requirements' policy, what it means and a regex to test it. I also describe how you can still set a password which does not meet the complexity requirements.
There are a couple of things to watch out for with this explain text:
~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
You will notice that £ and € are missing from this list. If you include those characters in your password, they are permitted but they do not count towards a category with regards to "Contain characters from three of the following four categories".
By default, this is set to 0 which means you can set blank passwords which clearly don't meet the password complexity requirements of the 'Password must meet complexity requirements' policy. So, if you enable the complexity policy, you should also set the minimum password length to at least six which matches the explain text "Be at least six characters in length".
^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&*\-_+=[\]{}<>|\\:',.?/`~"();!]){8,}$
This checks for three of the four categories and includes a list of allowed characters. It also enforces a minimum character length of 8. It doesn't check against the username nor does it allow £ or €. You could allow these characters but you'd also have to improve the three out of four category check to ignore these characters.
Where is this policy?
This policy can be accessed by running secpol.msc > Account Policies > Password Policy:
What does this policy do?
If you open the policy, the explain text describes what this policy does:
There are a couple of things to watch out for with this explain text:
1. Non-alphabetic characters
The full list from Microsoft is:
~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
You will notice that £ and € are missing from this list. If you include those characters in your password, they are permitted but they do not count towards a category with regards to "Contain characters from three of the following four categories".
2. Length
The explain text states "Be at least six characters in length" but this is always overridden by another policy 'Minimum password length':
By default, this is set to 0 which means you can set blank passwords which clearly don't meet the password complexity requirements of the 'Password must meet complexity requirements' policy. So, if you enable the complexity policy, you should also set the minimum password length to at least six which matches the explain text "Be at least six characters in length".
RegEx
If you want to check if text matches this password complexity, use the following regex:
^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&*\-_+=[\]{}<>|\\:',.?/`~"();!]){8,}$
This checks for three of the four categories and includes a list of allowed characters. It also enforces a minimum character length of 8. It doesn't check against the username nor does it allow £ or €. You could allow these characters but you'd also have to improve the three out of four category check to ignore these characters.
Comments
Post a Comment