Please never "validate" passwords with a regex; requirements like having a "special" character weaken the password space (as rules on password formation are added, fewer passwords are available, making passwords easier to guess as there are fewer to go through).
Looking at lists of common passwords (like this) very few go beyond 10 characters. So the best way to get a user to choose a secure password that they haven't used elsewhere? Make the minimum length longer than 10 characters (12 to 16 currently seems like good choices).
Even better, actually calculate the entropy of the password and require a minimum entropy for the password to be valid:
Thanks for your great reply Nathan 😎. From all the great replies, for me the bottom line is that we are not safer with these rules and as a web developer we have to adopt to newer strategies such as measuring the entropy of a string rather to stay with regex.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Please never "validate" passwords with a regex; requirements like having a "special" character weaken the password space (as rules on password formation are added, fewer passwords are available, making passwords easier to guess as there are fewer to go through).
Looking at lists of common passwords (like this) very few go beyond 10 characters. So the best way to get a user to choose a secure password that they haven't used elsewhere? Make the minimum length longer than 10 characters (12 to 16 currently seems like good choices).
Even better, actually calculate the entropy of the password and require a minimum entropy for the password to be valid:
How To Correctly Validate Passwords – Most Websites Do It Wrong
Lane Wagner ・ Oct 17 '20 ・ 3 min read
Thanks for your great reply Nathan 😎. From all the great replies, for me the bottom line is that we are not safer with these rules and as a web developer we have to adopt to newer strategies such as measuring the entropy of a string rather to stay with regex.