this post was submitted on 21 Jun 2024
424 points (99.1% liked)

Software Gore

980 readers
1 users here now

A community for posting software malfunctions

Deliberately bad software or bad design is not software gore, it must be something unintentional

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient and shear it



founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 6 months ago* (last edited 6 months ago)

Jesus, what a terrible regex. I love regexes and use them frequently, but you could just, y'know, declare your requirements and then check they're being met using string methods. Min length 8, max length 256, one set/dict/map for each character class, the minimum count for each character class, and then loop over the string and check that your declared requirements are being met. A regex might be faster (if the regex engine isn't being asked to do crazy lookup shit), but why torture yourself? Just parsing the string is also nice because it's readable and makes frontend documentation easier to generate.

Or skip all of this shit and just require longer passwords. My company has mandated 16 character passwords with no character class requirements for years and it's great. Want to use a password manager? You're set. You a big fan of passphrases? correct_horse_battery_staple your way through that shit. A long password + 2FA is all you need for security.

edit: also fuck you apparently if you want to have a ñ or ü or (⁠・⁠o⁠・⁠;⁠) in your password. I'm guessing the database column for this only supports ASCII? Smells like smelly MySQL/mariaDB to me.

edit: well, Unicode might be allowed. I get turned around with all of the groups and references. I guess it also depends on how the regex is being compiled. I know that in Python you can pass a bitwise flag to re.compile to force ASCII.