On Thu, Dec 24, 2020 at 12:56 PM dn via Python-list <python-list@python.org> wrote: > > On 24/12/2020 12:25, Chris Angelico wrote: > > On Thu, Dec 24, 2020 at 9:42 AM dn via Python-list > > <python-list@python.org> wrote: > >> Hang-on though, look at how much 'work' is involved, compared with a > >> single line of RegEx! Why go to such bother? There's several reasons. > > > > Good question! Look at this alternative: > > > > def validate_password(attempt): > > return len(attempt) >= 11 > > > > Wow! So much easier. Only one function needed AND it's more secure! > > You and I have discussed such topics before @Chris. However, we both > know that if the client specifies something (and we can't moderate > such), we deliver accordingly - per Alfred Lord Tennyson. > > What we don't know is the OP's wiggle-room with his/her 'client' - which > may be zero if the 'client' is an assignment-grade!
The OP said: > I want these rules to be applied: That means one of two things. Either it's a homework assignment and s/he is dishonestly pretending that it isn't one, or the OP invented the rules. There's nothing about "my client asked me to guard with these exact rules and I want to use a regex so I can have the exact same validation done by the web browser before it gets sent to the server". Don't assume justifications that aren't supported by evidence. > >> A frequent call is to increase the minimum-length of passwords. How > >> could we do this? Using RegEx, adjust the counter - but which part is > >> the 'counter'? > > > > In my example here, it's pretty easy to find! > > In a 'global definition' block or buried in the code-base? Either way would work. Either way is easier than digging through a regex. > >> If our ambitions include dreams of 'world domination', then we can > >> extend exactly the same idea of "rule" to the other three routines! > >> Whilst we 'start' with (say) the ASCII character definitions of a-z, we > >> will *be able* to extend into accented characters such as "ô" - which > >> really would promote us to take a rôle on the world-stage. > >> (hah!) > > > > Wow! It wins on that too! And even better - it counts Cyrillic letters > > as letters, it counts Greek letters as letters, and it counts Arabic > > letters as letters too! Isn't it so much easier than a regex? > > - but wouldn't you agree that > > attempt == "x"*12 > > is no safer than "xxxx"? So, maybe a length-rule without any other > consideration is 'weak-beer'? Would you say that "12345Aa$" is a weak password, despite fitting the requirements? What if the password is the person's name? What if the password hint is "the password is 'Sw@rdf1sh'"? It's not our job to stop the user from creating a weak password - just to encourage the use of better passwords. A length rule on its own is sufficient to cover a lot of cases, and no regex is sufficient to cover all cases. > (speaking of beer, and for the benefit of non-Australians, and people > everywhere who did learn their abc-s, "xxxx" is how @Chris spells "beer"!) > NB probably not suitable for office-viewing: > https://www.youtube.com/watch?v=mtwkDGlpWJk - cheers @Chris! Actually I don't, that's a myth :) ChrisA -- https://mail.python.org/mailman/listinfo/python-list
