[RAILS] [Ruby] Regular expression for secure password policy setting

1.First of all

The security aspect is something that you should be especially aware of when creating a web application. Passwords must be handled with caution. In this article, I heard that it is useful to use regular expressions when setting password policies, so I considered passwords and regular expressions.

2. What is a regular expression?

Beginners welcome! Introduction to regular expressions that can be learned by hand and eyes, part 1 "Let's search for phone numbers in various formats"

** "Mini language for efficiently searching and replacing character strings by specifying a pattern" **

It seems that. Let's take a look at what regular expressions look like using the website Rubular, which is a regular expression editor for Ruby. For example, there is the following text.

August 30 study time:1 hour
August 31 study time:3 hours
September 1st study time:2 hours
September 2nd study time:4 hours
September 3rd study time:6 hours
September 4th study time:10 hours

Of these, only the numbers for the study time in September are extracted using regular expressions. If you use a regular expression, the string will look like the one below.

^ 9. *: (\ d *) time $

Special characters used in regular expressions such as ^, ., and * are called ** "metacharacters" **. The meaning of metacharacters here will be verified later in Rubular. Enter the text you want to verify in Rubular's "Your test string" and the regular expression in "Your regular expression". Then, the result will be as follows. スクリーンショット 2020-09-23 10.41.33.png The light blue part of "Match result" is the part found by searching. This is the part where "Match groups" was captured. Extract the learning time here. In this way, we will search for strings using regular expressions.

3. Regular expression metacharacters used in this article

I referred to it → List of basic regular expressions

Metacharacters meaning
^ Represents the beginning of a sentence
$ Represents the end of a sentence
[] Create a character class that represents any one character
- []Indicates the range of characters used within
. Represents any single character
? The previous character or pattern appears once or 0 times
* The immediately preceding character or pattern continues 0 or more times. Match the longest part that meets the conditions
*? The immediately preceding character or pattern continues 0 or more times. Match the shortest part that meets the conditions
+ The immediately preceding character or pattern continues at least once. Match the longest part that meets the conditions
() Capture or group internally matched strings
{n,m} The previous character or pattern continues n times or more and m times or less
|Escape metacharacters,\d and\Be part of other metacharacters such as w
\d One half-width number (0123456789))
\w Half-width alphanumeric characters and underscore'_'
(?=x) Represents the "previous position" of x(Positive look-ahead)

4. What kind of password policy should I set?

As computer performance is improving day by day, password decryption (eg brute force attack The speed of% 81% 9F% E3% 82% 8A% E6% 94% BB% E6% 92% 83)) is increasing year by year. As a result, passwords are required to become more complex. Cabinet Cyber Security Center issued on March 31, 2020 "Internet Safety and Security Handbook Ver.4.10" According to P30 of, ** "10 digits or more with uppercase letters + lowercase letters + numbers + symbols mixed" ** is recommended as a policy to improve the security of passwords. Here, we will create a password policy according to the handbook with regular expressions.

5. Regular expression for password policy setting

Here, I would like to consider each regular expression step by step.

** (1) Half-width alphanumeric characters with 10 to 40 digits symbol ** ** (2) Addition of conditions of 1 or more uppercase letters + 1 or more lowercase letters ** ** (3) Addition of conditions with one or more digits ** ** (4) Add condition of 1 digit or more symbol **

Not all patterns are covered, but from the top

・ 9-digit characters ・ 10-digit lowercase letters ・ 10-digit uppercase + lowercase letters ・ 10-digit uppercase letters + lowercase letters + numbers ・ 10-digit uppercase letters + lowercase letters + numbers + symbols ・ 41-digit characters

I will verify with the following text.

Aaaaaaa1?
aaaaaaaaaa
Aaaaaaaaaa
Aaaaaaaaa1
Aaaaaaaa1?
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1?

(1) Half-width alphanumeric characters with 10 to 40 digits symbol

Characters used in regular expressions can be specified using ASCII code. The half-width alphanumeric characters and symbols here are from ! To ~ in the ASCII code table, so they are as follows.

Ruby


^[!-~]{10,40}$

The result was as expected. スクリーンショット 2020-09-23 23.43.47.png

(2) Addition of conditions of 1 or more uppercase letters + 1 or more lowercase letters

It took me a while to understand, but I'll explain it step by step.

** a. Use positive look-ahead (? =) to eliminate the ordering of conditions ** ** b. The character before the condition is any one character . with the shortest match 0 or more consecutive *? ** ** c. Set conditions [A-Z] [a-z] **

Referenced → [Regular expression for password / ^ (? =. *? [Az]) (? =. *? \ D) [az \ d] {8,100} $ / i is deciphered](https: / /qiita.com/momotaro98/items/460c6cac14473765ec14)

Ruby


^(?=.*?[A-Z])(?=.*?[a-z])[!-~]{10,40}$

Succeeded.

スクリーンショット 2020-09-24 0.26.35.png

(3) Addition of conditions for one or more digits

The condition \ d of numbers 0-9 was added to (2).

Ruby


^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?\d)[!-~]{10,40}$

Succeeded.

スクリーンショット 2020-09-24 0.31.15.png

(4) Symbol Add condition of 1 digit or more

I checked the ASCII code and specified the symbol. I escaped \ where the symbols and metacharacters overlap.

Ruby


^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?\d)(?=.*?[!-\/:-@\[-`{-~])[!-~]{10,40}$

Succeeded. Added text for symbol confirmation.

スクリーンショット 2020-09-24 0.49.20.png

6. Summary

Regular expressions were a pain to understand. I will use it in various ways other than setting the password policy.

Recommended Posts

[Ruby] Regular expression for secure password policy setting
Regular expression for password
Ruby regular expression
Ruby: Regular expression summary * Code sample available
Ruby setting 2
[Ruby] Setting values ​​and memorandum for the table
/ Mask delimited user ID / password password with regular expression
Ruby setting 3 Rubocop
Regular expression basics
JS regular expression
Ruby Regular Expression Extracts from a specific string to a string
[Ruby/Rails] How to generate a password in a regular expression