shutdown now

Okay, so I’m writing two computer related articles in a row, but I’ve been meaning to post this for a while now.

Anyway, a few weeks ago, we needed a regular expression for customer passwords. After searching Regular Expression Library, we found one that looked like it would work, and modified it to the following:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[0-z]{7,12}$

Normally, that would require the password to contain one small letter, one capital letter, one number, and be between 7 and 12 characters, inclusive. So we tested it, and it worked just as expected.
A couple days later, another programmer in our group told us it didn’t work, so we tested it again with perfect results. After arguing with him for about 1 to 2 seconds, we asked if he was using Firefox or Internet Explorer - he was using IE.

After a couple more days of research, I discovered that IE doesn’t necessarily parse lookaheads properly. Here’s what seems to be happening:

1. The carot ^ is successfully matched, and because it is a zero-width search, the search position remains at position 0 (before the first character of the password; this is expected behavior)
2. The first lookahead (?=.*[a-z]) looks ahead until it finds a lower case letter, if one is not found, the regular expression fails; however, if one IS found, IE decides to jump straight to the next part of the search that is NOT one of the lookaheads. That is, it checks that the lower case letter is followed by at least 7 to 12 characters
3. If that succeeds, then it does the same thing with the next two lookaheads
4. If all the lookaheads succeed, then the final check must pass; that is, the password can only be 7 to 12 characters long

Trying to put this simply, basically a small case letter, an upper case letter, and a number must all appear within the first 5 characters, followed by, at minimum, 7 more characters. So the password would only ever pass with a minimum of 10 characters (e.g. A0a1234567). And even with 10 characters, if one of the 3 lookaheads didn’t match right at the beginning, the entire regular expression would fail (e.g. aBc1234567 would still fail, since one of the numbers doesn’t have 7 more characters after it).

But being the freakin’ genius I am, I finally figured out a solution that worked in IE and Firefox:

(?=^.{7,12}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[0-z]*$

Basically, this checks the length right from the start, if it’s not between 7 and 12 characters, it immediately fails; the other lookaheads now don’t care how many characters follow, they just care that the lower case letter, upper case letter, and number appear somewhere in the password at least once. The last part [0-z] simply makes sure that no weird characters are entered: just letters, numbers, and some limited punctuation.