Password must meet complexity requirements regex - Windows policy

In this blog post, I discuss the 'Password must meet complexity requirements' policy, what it means and a regex to test it.  I also describe how you can still set a password which does not meet the complexity requirements.

Where is this policy?

This policy can be accessed by running secpol.msc > Account Policies > Password Policy:
Screenshot of Password must meet complexity requirements policy

What does this policy do?

If you open the policy, the explain text describes what this policy does:
Screenshot of Password must meet complexity requirements policy explain text


There are a couple of things to watch out for with this explain text:

1. Non-alphabetic characters

The full list from Microsoft is:

~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/

You will notice that £ and € are missing from this list.  If you include those characters in your password, they are permitted but they do not count towards a category with regards to "Contain characters from three of the following four categories".

2. Length

The explain text states "Be at least six characters in length" but this is always overridden by another policy 'Minimum password length':
Minimum password length policy

By default, this is set to 0 which means you can set blank passwords which clearly don't meet the password complexity requirements of the 'Password must meet complexity requirements' policy.  So, if you enable the complexity policy, you should also set the minimum password length to at least six which matches the explain text "Be at least six characters in length".

RegEx

If you want to check if text matches this password complexity, use the following regex:

^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]))([A-Za-z\d@#$%^&*\-_+=[\]{}<>|\\:',.?/`~"();!]){8,}$

This checks for three of the four categories and includes a list of allowed characters.  It also enforces a minimum character length of 8.  It doesn't check against the username nor does it allow £ or €.  You could allow these characters but you'd also have to improve the three out of four category check to ignore these characters.

Comments

Popular posts from this blog

LG TV This app will now restart to free up more memory

LG TV Clear All Browsing History Data

Excel Import CSV not using "Use First Row as Headers"