Jquery validation on matching 'password' and 'admin' not working

Question

I have tried to write a regular expression for passwords:

public class ApplicationUser : IdentityUser, ITimeStamps
{
    public const string PasswordRegularExpression = @"admin|password";
    // public const string PasswordRegularExpression = @"/admin|password/i"; // Tried this too
    // public const string PasswordRegularExpression = @"/(admin|password)/i"; // Tried this too

This is over and above the normal Microsoft identity stuff:

manager.PasswordValidator = new PasswordValidator
{
     RequiredLength = 6,
     RequireNonLetterOrDigit = false,
     RequireDigit = true,
     RequireLowercase = false,
     RequireUppercase = false,
};

Here's my Register view model:

public class RegisterViewModel
{
    [Required]
    [StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    [RegularExpression( ApplicationUser.PasswordRegularExpression, ErrorMessage = "The {0} must contain atleast 1 number and must not contain the word 'admin' or 'password'" )] 
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    [Compare("Password", ErrorMessage = "The password and confirmation password do not match.")]
    public string ConfirmPassword { get; set; }
}

I am wanting to throw an error in jquery validation when someone uses password or admin inside their password. However, the jquery validation does not seem to be working as expected. What might I be missing?

The generated html from asp.net looks like this:

<input class="form-control input-validation-error" data-val="true" data-val-length="The Password must be at least 6 characters long." data-val-length-max="100" data-val-length-min="6" data-val-regex="The Password must contain atleast 1 number and must not contain the word 'admin' or 'password'" data-val-regex-pattern="admin|password" data-val-required="The Password field is required." id="Password" name="Password" placeholder="Enter a password" type="password">

Test cases:

I've added brackets, it still does not work as expected. I type in password and it actually does not fail! I then put 1 more character (doesn't matter what it is) and then it fails... and now I remove part of the word "password" so for example 'pasrd21234' and the error is still there!

Side notes:

I have tried using this to test it: http://regexhero.net/tester/ and the regex seems to work fine there?
I have also tried using this to test it: http://regexpal.com/ and it works fine?

You appear to be part-way towards *requiring* the password to include "admin" or "password" (you just need brackets around it to make it valid); you should probably investigate negating a regex. — Adrian Wragg, May 18 '15 at 15:37
I've added brackets, it still does not work as expected. I type in password and it actually does not fail! I then put 1 more character (doesn't matter what it is) and then it fails... and now I remove part of the word "password" so for example pasrd21234 and the error is still there! — Jimmyt1988, May 18 '15 at 15:41
It may be worthwhile putting those test cases into the question itself - you've only said in the main text that it's "not working as expected" without saying how it is working. — Adrian Wragg, May 18 '15 at 15:42
My question really isn't anything like the suggested question... — Jimmyt1988, May 18 '15 at 15:47
It's a "possible" duplicate; you are trying to validate that your text doesn't contain certain words. You've posted links to a couple of regex tools; do they allow short links to be created directly to the settings you're using (e.g. https://regex101.com/r/cO1iA5)? — Adrian Wragg, May 18 '15 at 15:52
the problem is very specific to asp.net razor and jquery validate. This is where the problem seems to be. Also, if I remove the brackets on your link, it works exactly the same as with out. — Jimmyt1988, May 18 '15 at 15:53
The attribute `data-val-regex-pattern` within .net validation requires the field to match the given regex. If your regex is going to work, you need one that succeeds if your text doesn't contain "password" or "admin" - `admin|password` is a regex that requires one or the other. — Adrian Wragg, May 18 '15 at 16:03

score 3 · Accepted Answer · edited May 23 '17 at 12:08

3

Based upon the answer at Regular expression to match a line that doesn't contain a word?, the following regular expression should match any password except if it contains "admin" or "password":

^((?!(admin|password)).)*$

I've created a fiddle for this on Regex101 for testing prior to adding this into your application.

edited May 23 '17 at 12:08

Community

1
1

answered May 18 '15 at 16:12

Adrian Wragg

7,066
3
26
50

Thank you! Just run through with a colleague and understand now the issue. Thanks for the comment you added above. – Jimmyt1988 May 18 '15 at 16:16
Not a problem, and glad I was able to help. :) – Adrian Wragg May 18 '15 at 18:42

Jquery validation on matching 'password' and 'admin' not working

1 Answers1

Linked