Special characters are forbidden in password

[llaske]

Password are limited to [a-zA-X0-9] for new user. See https://github.com/NikhilM98/sugarizer-school-portal-server/blob/master/helper/regexValidate.js#L8.
This constraint seems inherited from Sugarizer user password but for security reason, it would be nice to authorize a broad range of characters.

[ricknjacky]

Would changing

sugarizer-school-portal-server/helper/regexValidate.js

Line 8 in 1446514

return /^[a-z0-9]+$/i;

to

return /^[ A-Za-z0-9_@./#&+-]*$/ be enough?

[NikhilM98]

@ricknjacky it is the basic requirement to update the regex. However, it would be highly appreciated if you could also improve the current password input mechanism for user registration by implementing a password strength bar on user registration to promote stronger passwords.

[ricknjacky]

@ricknjacky it is the basic requirement to update the regex.

So, Do I procced with making changes to the regex?

However, it would be highly appreciated if you could also improve the current password input mechanism for user registration by implementing a password strength bar on user registration to promote stronger passwords.

Sounds exciting, can I use zxcvbn library for the same? I read the library's documentation blog and I presume this is what the expected outcome is here, am I right?

Please share your thoughts on this.

[NikhilM98]

@ricknjacky you can confirm with @llaske if the regex is strong enough. Also, you need to show users appropriate feedback if they enter invalid characters.

I checked the dropbox/zxcvbn library. It is no longer maintained by dropbox. There is a re-write of the library with some support on zxcvbn-ts/zxcvbn. This library looks preety good for password strength estimation. However, it'll be better if we can find and integrate a library with more stable support in the project.