Cant contain variable in regex

hi all,

im going to add to my “np” variable cant contain there username ie “un”

ive tried Regexp(‘form.un.data’, message=‘cant contain your name’)

just as a test and it didnt work

can regex do variables even?

un = StringField('Username', [InputRequired(message='please enter your Username')])
    op = PasswordField('Current Password', [InputRequired(message='please enter your current password')])
    np = PasswordField('New Password', [InputRequired(message='please enter your new password'), EqualTo('cnp', message='must match confirm new password'), Length(min=12), Regexp('.*[a-z]', message='must contain one lower case'), Regexp('.*[A-Z]', message='must contain one upper case'), Regexp('.*[0-9]', message='must contain one number'), Regexp('.*[\¬\!\"\£\$\%\^\&\*\(\)\_\+\`\-\=\{\}\:\@\~\<\>\?\[\]\;\'\#\,\.\/\\\|]', message='must contain one special character')])
    cnp = PasswordField('Confirm New Password')

thanks,
rob

Please listen to the advice you have been given. Having such strict requirements on the password is a bad idea. There is a saying “Security at the expense of usability, comes at the expense of security.” If you make your security rule so harsh that it makes users’ lives miserable, they will disregard security to get things done, e.g. write down the password that they can’t possibly remember on a piece of paper and tape it on the monitor. On top of that, I don’t even think the rules you want to enforce improve security per se. Having more requirements just limits the number of possibly valid passwords, thus makes it easier for machines to guess.

Please, reconsider what you’re trying to do.

2 Likes

That, and constantly be asking for password resets. I have heard stories of people who, due to awful password policies, don’t actually even TRY to memorize their passwords; every time they log in, they do a password reset and get a one-time password emailed. In other words, the email IS the password.

1 Like

Wow, that’s awful. I’m guessing their email isn’t encrypted, either, and of course they receive this “temporary” password (which will remain in place until the next login) in cleartext…

Highly likely. I didn’t ask for details. I mean, there’s nothing inherently wrong with outsourcing your logins to someone else, but you really should do it securely with OAuth, not by relying on a password reset mechanic…