帮助密码复杂度正则表达式 [英] Help with password complexity regex

问题描述

我正在使用以下正则表达式来验证密码的复杂性:

I'm using the following regex to validate password complexity:

/^.*(?=.{6,12})(?=.*[0-9]{2})(?=.*[A-Z]{2})(?=.*[a-z]{2}).*$/

简而言之:2个小写字母，2个大写字母，2个数字，最小长度为6，最大长度为12.

In a nutshell: 2 lowercase, 2 uppercase, 2 numbers, min length is 6 and max length is 12.

当我也使用最小长度时，除了最大长度之外，它都工作得很好.

It works perfectly, except for the maximum length, when I'm using a minimum length as well.

例如:

/^.*(?=.{6,})(?=.*[0-9]{2})(?=.*[A-Z]{2})(?=.*[a-z]{2}).*$/

正确地要求最小长度为6！

This correctly requires a minimum length of 6!

这:

/^.*(?=.{,12})(?=.*[0-9]{2})(?=.*[A-Z]{2})(?=.*[a-z]{2}).*$/

正确要求最大长度为12.

Correctly requires a maximum length of 12.

但是，当我像第一个示例中将它们配对在一起时，它根本不起作用！

However, when I pair them together as in the first example, it just doesn't work!!

有什么作用?谢谢！

推荐答案

您要:

/^(?=.{6,12}$)...

您正在说的是:找到我后面跟着的任意字符序列

What you're doing is saying: find me any sequence of characters that is followed by:

• 6-12个字符
• 另一位字符序列，后跟两位数字
• 另一个字符序列，后跟2个大写字母
• 另一个字符序列，后跟2个小写字母

接着是所有其他字符序列.这就是为什么最大长度不起作用的原因，因为30个字符后接00AAaa，然后又通过了30个字符.

And all that is followed by yet another sequence of characters. That's why the maximum length isn't working because 30 characters followed by 00AAaa and another 30 characters will pass.

您正在做的是将两个数字强制在一起.不那么严格，但在字符串中的任何地方至少需要两个数字:

Also what you're doing is forcing two numbers together. To be less stringent than that but requiring at least two numbers anywhere in the string:

/^(?=.{6,12}$)(?=(.*?\d){2})(?=(.*?[A-Z]){2})(?=(.*?[a-z]){2})/

最后，您会注意到我正在使用非贪婪的表达式(.*?).这样可以避免很多的回溯，对于这种验证，通常应该使用.两者之间的区别:

Lastly you'll note that I'm using non-greedy expressions (.*?). That will avoid a lot of backtracking and for this kind of validation is what you should generally use. The difference between:

(.*\d){2}

和

(.*?\d){2}

是第一个将使用.*捕获所有字符，然后查找数字.它将找不到一个，因为它将位于字符串的末尾，因此它将回溯一个字符，然后寻找一个数字.如果不是数字，它将一直回溯直到找到一个数字.完成后，它将再次匹配整个表达式，这将触发更多回溯.

Is that the first will grab all the characters with .* and then look for a digit. It won't find one because it will be at the end of the string so it will backtrack one characters and then look for a digit. If it's not a digit it will keep backtracking until it finds one. After it does it will match that whole expression a second time, which will trigger even more backtracking.

这就是贪婪通配符的意思.

第二个版本将零字符传递给.*?并查找数字.如果不是数字，则.*?将获取另一个字符，然后查找数字，依此类推.特别是在长搜索字符串上，这可以快几个数量级.使用短密码，几乎可以肯定不会有所作为，但是这是一个很好的习惯，可以了解正则表达式匹配器的工作原理并编写最佳的正则表达式.

The second version will pass on zero characters to .*? and look for a digit. If it's not a digit .*? will grab another characters and then look for a digit and so on. Particularly on long search strings this can be orders of magnitude faster. On a short password it almost certainly won't make a difference but it's a good habit to get into of knowing how the regex matcher works and writing the best regex you can.

话虽这么说，这可能是一个为了自己的利益而变得太聪明的例子.如果由于密码不满足这些条件而被拒绝，您如何确定哪个密码失败，以便向用户提供有关修复方法的反馈?在实践中，可能最好使用程序化解决方案.

That being said, this is probably an example of being too clever for your own good. If a password is rejected as not satisfying those conditions, how do you determine which one failed in order to give feedback to the user about what to fix? A programmatic solution is, in practice, probably preferable.

这篇关于帮助密码复杂度正则表达式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！