Please note, that it's a bad idea to limit the password length.
If a user wants to use a 25 character password, you should let him, since this is increasing the password security.
And there is no need to make the Regex this complicated.
Just allow any character and increase the required amount of characters. This will increase the security way better than enforcing the usage of numbers and special characters.
example regex would be /.{12,}/
(any character allowed, at least 12 characters),
Thanks for your reply Rico. I have just update the password max limit length.
Why do you propose no complex passwords ??
My bank wants complex password but google not both companies want security but asks different things . What is the best approach ...
Currently developing futuristic smart-device, IoT connected, highway construction site safety system in EU.
Used to work on infrastructure, application architecture and cloud engineering.
The best approach is to pick a password that is hard to guess and at the same time complex enough not to be cracked within timespan of following years, after which it will become obsolete (you change it or stop using the service).
Using something obvious and related is really a bad idea to start with (birth dates, favorite things, names, family members, colors, songs, etc.) The best password is totally unrelated to anything known to you from the outside. This prevents password guessing by visiting your social app profiles and trying your dog's name, friends names, mother's birthdate, rock band name from your t-shirt picture and similar.
Very good rule of thumb is a sentence that makes visual sense in your head but is composed of random, totally unrelated words.
You cannot protect yourself against passwords that are improperly treated by the remote service, so any small or new service should be considered insecure and you should change passwords regularly. If someone steals unencrypted or weakly encrypted password directly from the database of that service there's nothing you can do and even the strongest password in the world will not help.
You have to take into account that efficiency and speed of password cracking increases every year (new and more powerfull GPUs, ASIC chips, new algorithms, etc.)
If your password stolen from remote service was properly encrypted and does not suffer from dictionary attack weakness (words included are not 100% included in frequently used dictionaries) then its biggest strength is its complexity.
This can be easily calulated as : entropy size ^ password length
Where entropy size is how many bits are there in each password character. E.g. only lowercase letters produce 26 possible distinct values a-z. If you add UPPERCASE letters than one character can be 26 + 26. Add digits and it will become 26 + 26 + 10 (a-z + A-Z + 0-9).
Then make this an exponent of the password length - e.g. lower + upper + digits (62) ^ password length (5) = 916,132,832. So there's about 916 million possible combinations of lower, upper and digit characters in a 5 character long password. Depending on the cryptographic algorithm used this can be enough or not. For NTLM encryption (used in Windows systems) by buying 2x NVIDIA GTX 1080 you are able to achieve 44.4 GH/s (giga [billion] hashes per second) so your 5 letter password would be cracked in an instant.
For example going to 6 characters it would take about 1s, 7 characters 79 seconds, 8 characters 81 minutes, 9 characters 84 hours and 10 characters 218 days.
Of course current RTX 3090 cards are much more effective so when the attacker has access to expensive equipment the longer your password is the longer it will take to crack it.
Please also note that:
8 character password consisting of lowercase + UPPERCASE + digits [0-9] + 16 special characters (like *-+/.,!?$#@%^& and similar) has LESS ENTROPY THAN a solely lowercase character password of length 11 characters, because:
Well. There are different types of attacks.
Others have provided sufficient details, but I feel obliged to answer your questions (I don't want others to do ALL the work. ;-) )
Dictionary attacks:
The attacker has a list of possible words (e.g. from a dictionary of common words, hence the name) like "password", "helloworld", "sugar", or "development", which they will try on a users account. Complex passwords can provide better security, since the attacker would need "sugar" as well as different varieties (e.g. "5ug4r") of a word in his dictionary. Note, that common substitutions (e.g. a 5 for a s, a 4 for an a) might already be included in such dictionary attacks.
"regular" bruteforce:
The attacker generates a possible password (either randomly or following a scheme, e.g. "aaaa", "aaab", "aaac", etc.). Here, a complex password just won't necessarily result in a security increase, it heavily depends on the attack itself. If the attacker tries all lowercase combinations before trying combinations with uppercase letters, numbers and special characters, an all lowercase password of low length (less than 15 characters) WILL be definitely less secure than a more complex password of the same length.
If the plattform hosting the user account RESTRICTS the users from using uppercase letters, numbers and special characters for their passwords, the attacker can remove these combinations from his attack, heavily reducing the amount of guesses (and therefore the needed time) to crack the users password.
Best practise - User POV
As a user, the best way to handle passwords would be either to
1) Use a password safe and use a unique, randomly generated password with sufficient length (at least 20 characters!) with maximum complexity for each service
or
2) Use a password-less authentication method like WebAuthn.
Best practise - Developer POV
As a developer, you should provide this on your platform for maximum security:
1) Enforce passwords of maximum entropy (complexity AND length).
1a) Since it's unrealistic, users would all conform to User POV 1 (password manager with generated, safe passwords), you should at least enforce LONG passwords. Chaining known words is at least more memorable for the user and will potentially provide more secure passwords due to increased length (using 4-5 words might already result in passwords with at least 20 characters).
2) Provide standardized password-less authentication methods like WebAuthn (usage according to caniuse.com: 86% globally). Using a Public/Private-Key authentication, your users will be better protected against other types of attacks, not mentioned here, e.g. phishing (getting the users passwords by leading your users to a malicious site, designed to look indistinguishable from your site).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Please note, that it's a bad idea to limit the password length.
If a user wants to use a 25 character password, you should let him, since this is increasing the password security.
And there is no need to make the Regex this complicated.
Just allow any character and increase the required amount of characters. This will increase the security way better than enforcing the usage of numbers and special characters.
example regex would be
/.{12,}/(any character allowed, at least 12 characters),
Thanks for your reply Rico. I have just update the password max limit length.
Why do you propose no complex passwords ??
My bank wants complex password but google not both companies want security but asks different things . What is the best approach ...
The best approach is to pick a password that is hard to guess and at the same time complex enough not to be cracked within timespan of following years, after which it will become obsolete (you change it or stop using the service).
Using something obvious and related is really a bad idea to start with (birth dates, favorite things, names, family members, colors, songs, etc.) The best password is totally unrelated to anything known to you from the outside. This prevents password guessing by visiting your social app profiles and trying your dog's name, friends names, mother's birthdate, rock band name from your t-shirt picture and similar.
Very good rule of thumb is a sentence that makes visual sense in your head but is composed of random, totally unrelated words.
You cannot protect yourself against passwords that are improperly treated by the remote service, so any small or new service should be considered insecure and you should change passwords regularly. If someone steals unencrypted or weakly encrypted password directly from the database of that service there's nothing you can do and even the strongest password in the world will not help.
You have to take into account that efficiency and speed of password cracking increases every year (new and more powerfull GPUs, ASIC chips, new algorithms, etc.)
If your password stolen from remote service was properly encrypted and does not suffer from dictionary attack weakness (words included are not 100% included in frequently used dictionaries) then its biggest strength is its complexity.
This can be easily calulated as :
entropy size^password lengthWhere
entropy sizeis how many bits are there in each password character. E.g. only lowercase letters produce 26 possible distinct valuesa-z. If you add UPPERCASE letters than one character can be 26 + 26. Add digits and it will become 26 + 26 + 10 (a-z + A-Z + 0-9).Then make this an exponent of the password length - e.g. lower + upper + digits (62) ^ password length (5) = 916,132,832. So there's about 916 million possible combinations of lower, upper and digit characters in a 5 character long password. Depending on the cryptographic algorithm used this can be enough or not. For NTLM encryption (used in Windows systems) by buying 2x
NVIDIA GTX 1080you are able to achieve 44.4 GH/s (giga [billion] hashes per second) so your 5 letter password would be cracked in an instant.For example going to 6 characters it would take about 1s, 7 characters 79 seconds, 8 characters 81 minutes, 9 characters 84 hours and 10 characters 218 days.
Of course current RTX 3090 cards are much more effective so when the attacker has access to expensive equipment the longer your password is the longer it will take to crack it.
Please also note that:
8 character password consisting of lowercase + UPPERCASE + digits [0-9] + 16 special characters (like *-+/.,!?$#@%^& and similar) has LESS ENTROPY THAN a solely lowercase character password of length 11 characters, because:
Thanks for your reply Slavius 😎 . Υou were completely understandable 😁😁
Well. There are different types of attacks.
Others have provided sufficient details, but I feel obliged to answer your questions (I don't want others to do ALL the work. ;-) )
Dictionary attacks:
The attacker has a list of possible words (e.g. from a dictionary of common words, hence the name) like "password", "helloworld", "sugar", or "development", which they will try on a users account. Complex passwords can provide better security, since the attacker would need "sugar" as well as different varieties (e.g. "5ug4r") of a word in his dictionary. Note, that common substitutions (e.g. a 5 for a s, a 4 for an a) might already be included in such dictionary attacks.
"regular" bruteforce:
The attacker generates a possible password (either randomly or following a scheme, e.g. "aaaa", "aaab", "aaac", etc.). Here, a complex password just won't necessarily result in a security increase, it heavily depends on the attack itself. If the attacker tries all lowercase combinations before trying combinations with uppercase letters, numbers and special characters, an all lowercase password of low length (less than 15 characters) WILL be definitely less secure than a more complex password of the same length.
If the plattform hosting the user account RESTRICTS the users from using uppercase letters, numbers and special characters for their passwords, the attacker can remove these combinations from his attack, heavily reducing the amount of guesses (and therefore the needed time) to crack the users password.
Best practise - User POV
As a user, the best way to handle passwords would be either to
1) Use a password safe and use a unique, randomly generated password with sufficient length (at least 20 characters!) with maximum complexity for each service
or
2) Use a password-less authentication method like WebAuthn.
Best practise - Developer POV
As a developer, you should provide this on your platform for maximum security:
1) Enforce passwords of maximum entropy (complexity AND length).
1a) Since it's unrealistic, users would all conform to User POV 1 (password manager with generated, safe passwords), you should at least enforce LONG passwords. Chaining known words is at least more memorable for the user and will potentially provide more secure passwords due to increased length (using 4-5 words might already result in passwords with at least 20 characters).
2) Provide standardized password-less authentication methods like WebAuthn (usage according to caniuse.com: 86% globally). Using a Public/Private-Key authentication, your users will be better protected against other types of attacks, not mentioned here, e.g. phishing (getting the users passwords by leading your users to a malicious site, designed to look indistinguishable from your site).