I am seeing passwords that DO meet complexity being flagged as 'weak passwords' on the analytics page. This seems to be specifically those containing an 'underscore' (e.g., HelloDolly). I reviewed the regex logic and it does not seem to recognize an 'underscore' as a part of the 'non-word' class. I did some research, which states, "A word character is a character from a-z, A-Z, 0-9, including the (underscore) character." I also verfied in my AD instance that an underscore would be counted as a special character (it is). Therefore some additional coding would be required to identify an underscore as part of the 'specials' in the weak password section.
routes/analytics.rb - line 47+
/^(?:(?=.[a-z])(?:(?=.[A-Z])(?=.[\d\W])|(?=.\W)(?=.\d))|(?=.\W)(?=.[A-Z])(?=.\d)).{8,}$/
I am seeing passwords that DO meet complexity being flagged as 'weak passwords' on the analytics page. This seems to be specifically those containing an 'underscore' (e.g., HelloDolly). I reviewed the regex logic and it does not seem to recognize an 'underscore' as a part of the 'non-word' class. I did some research, which states, "A word character is a character from a-z, A-Z, 0-9, including the (underscore) character." I also verfied in my AD instance that an underscore would be counted as a special character (it is). Therefore some additional coding would be required to identify an underscore as part of the 'specials' in the weak password section.
routes/analytics.rb - line 47+ /^(?:(?=.[a-z])(?:(?=.[A-Z])(?=.[\d\W])|(?=.\W)(?=.\d))|(?=.\W)(?=.[A-Z])(?=.\d)).{8,}$/