How to Create a Password Strength Checker in Batch Script
Let's create a standalone Password Strength Checker using Windows Batch Scripting. Within cybersecurity automation, validating user input to ensure it meets complexity requirements is a foundational task. In an enterprise environment, evaluating strings for a mix of uppercase letters, lowercase letters, numbers, and special characters is crucial for maintaining security paradigms.
While tools like PowerShell or Python offer high level Regular Expression libraries natively tailored for validation, writing a password checker in pure Batch Script provides mid level scripters an unparalleled understanding of command line string parsing, findstr pattern matching, and error level logical routing. By the end of this article, you will be able to construct a robust score based syntax evaluator capable of rating passwords securely directly in the Command Prompt.
Identifying Password Strength Criteria
A typical password strength algorithm evaluates multiple factors. To create a reliable checker, we assign a "score" to a password and analyze whether the string fulfills specific requirements. Our script will look for:
- Length Constraints: Minimum of 8 characters.
- Lowercase Checks: At least one lowercase letter
[a-z]. - Uppercase Checks: At least one uppercase letter
[A-Z]. - Numeric Checks: At least one digit
[0-9]. - Special Character Check: At least one symbol
[!@#$%*&_].
Calculating String Length in Batch
Batch does not have a native strlen() function like C++ or PHP. To find the length of a string, we implement a counting loop that steps through the user input character by character until it runs out of data, incrementing a length variable.
@echo off
setlocal enabledelayedexpansion
title Password Length Counter
set /p "USER_PASS=Enter Password: "
set "PASS_LEN=0"
set "TEMP_PASS=!USER_PASS!"
:: A simulated string length function using variable substitution
:STRLEN_LOOP
if defined TEMP_PASS (
set "TEMP_PASS=!TEMP_PASS:~1!"
set /a PASS_LEN+=1
goto STRLEN_LOOP
)
echo Length is !PASS_LEN! characters.
pause
Implementing Pattern Matching with findstr
To determine the presence of uppercase letters, lowercase letters, and numbers, we use the built in findstr command coupled with Regular Expression bracket notation. When findstr locates a match, it sets the system %errorlevel% to 0 (Success). If it fails, the errorlevel becomes 1.
Lowercase and Uppercase Letter Evaluation
echo !USER_PASS!| findstr /R "[a-z]" >nul
if !errorlevel! equ 0 (
echo Lowercase letters found.
set /a SCORE+=1
)
echo !USER_PASS!| findstr /R "[A-Z]" >nul
if !errorlevel! equ 0 (
echo Uppercase letters found.
set /a SCORE+=1
)
By piping the user's string using echo !USER_PASS!|, we pass the string as a standard input stream to findstr. The >nul redirects the matching output into the void, keeping the console output clean. Note that there must be no space between !USER_PASS! and the pipe | character, otherwise the trailing space becomes part of the piped string.
Evaluating Security Symbols and Special Characters
Special characters like ! or ^ hold significant meaning in Batch scripts as logical operators or escaping characters. Handling them dynamically within loops frequently causes scripting crashes. Thus, our parser must check them gracefully.
Instead of typing every single special character, we match against anything that is not alphanumeric using the [^] exclusion operator.
echo !USER_PASS!| findstr /R "[^a-zA-Z0-9]" >nul
if !errorlevel! equ 0 (
echo Special character found.
set /a SCORE+=1
)
Common Wrong Cases and Best Practices
A massive pitfall when evaluating unconstrained textual input in Batch Script is allowing special characters to crash the script engine. If a user inputs a password like admin|123&pass, unescaped symbols | and & will sever the evaluation line and trigger completely unrelated commands.
The Wrong Way: Handling Passwords using Percent Signs
When scripters attempt to pipe a password containing command line logic symbols using standard % wrapping, the command prompt tries to execute the password itself.
Wrong Code Example:
@echo off
set /p "PASSWORD=Enter a password: "
:: If the user typed: hello&dir
:: This line evaluates as: echo hello&dir | findstr /R "[0-9]"
echo %PASSWORD% | findstr /R "[0-9]" >nul
if %errorlevel% equ 0 echo You used a number!
What Happens:
The script attempts to echo "hello", and then executes the dir command natively. It completely breaks out of the intended flow, throwing directory listings onto the screen and causing massive security flaws.
The Correct Way: Strict Delayed Expansion Piping
To safely pass completely arbitrary inputs containing any special characters (&, <, >, |) into findstr without evaluation, you must exclusively use setlocal enabledelayedexpansion and ! marks.
Correct Code Example:
@echo off
setlocal enabledelayedexpansion
set "PASSWORD="
set /p "PASSWORD=Enter a password: "
:: Delayed expansion treats "&" and "|" literally.
echo !PASSWORD!| findstr /R "[0-9]" >nul
if !errorlevel! equ 0 echo You used a number!
What Happens:
The ! variables are evaluated long after the command line parses logical operators. The pipe safely receives hello&dir exactly as a plain text string, preventing command execution.
Full Script Implementation
Combining the length checking loop, the findstr scoring algorithms, and the critical delayed expansion variables, we yield a highly functional terminal password strength meter. Copy this code into your text editor, save it as checkpass.bat, and run it.
@echo off
setlocal enabledelayedexpansion
title Password Strength Meter
:START_PROMPT
cls
echo =======================================================
echo TERMINAL PASSWORD STRENGTH ANALYZER
echo =======================================================
echo.
set "PASSWORD="
set /p "PASSWORD=Enter a password to evaluate (or 'quit' to exit): "
if /i "!PASSWORD!"=="quit" goto :EOF
if not defined PASSWORD goto START_PROMPT
:: Initial Score
set "SCORE=0"
set "PASS_LEN=0"
set "TEMP_PASS=!PASSWORD!"
:: 1. Calculate the Length
:CALC_LENGTH
if defined TEMP_PASS (
set "TEMP_PASS=!TEMP_PASS:~1!"
set /a PASS_LEN+=1
goto CALC_LENGTH
)
if !PASS_LEN! geq 8 (
set /a SCORE+=1
echo [X] Rule Met: Length is at least 8 characters.
) else (
echo [ ] Failed: Length is only !PASS_LEN! characters.
)
:: 2. Check for Lowercase
echo !PASSWORD!| findstr /R "[a-z]" >nul
if !errorlevel! equ 0 (
set /a SCORE+=1
echo [X] Rule Met: Contains a lowercase letter.
) else (
echo [ ] Failed: Missing lowercase letters.
)
:: 3. Check for Uppercase
echo !PASSWORD!| findstr /R "[A-Z]" >nul
if !errorlevel! equ 0 (
set /a SCORE+=1
echo [X] Rule Met: Contains an uppercase letter.
) else (
echo [ ] Failed: Missing uppercase letters.
)
:: 4. Check for Numbers
echo !PASSWORD!| findstr /R "[0-9]" >nul
if !errorlevel! equ 0 (
set /a SCORE+=1
echo [X] Rule Met: Contains a digit.
) else (
echo [ ] Failed: Missing numeric digits.
)
:: 5. Check for Special Characters
echo !PASSWORD!| findstr /R "[^a-zA-Z0-9]" >nul
if !errorlevel! equ 0 (
set /a SCORE+=1
echo [X] Rule Met: Contains a special character.
) else (
echo [ ] Failed: Missing symbols.
)
:: Grading the Final Score
echo.
echo =======================================================
echo Final Strength Score: !SCORE! / 5
if !SCORE! equ 5 (
echo Status: EXCELLENT. Your password is highly secure.
) else if !SCORE! geq 3 (
echo Status: MODERATE. Your password is okay but could be stronger.
) else (
echo Status: WEAK. Your password lacks complexity.
)
echo =======================================================
echo.
pause
goto START_PROMPT
Never hard code actual passwords into batch scripts using the set command to test logic. Clear text credentials in a .bat file represent a severe security risk on shared systems.
Conclusion
Automating password strength meters within Windows Batch Script highlights the deep flexibility of the findstr Regular Expression capability natively embedded within CMD. By prioritizing proper variable quoting and securely handling delayed expansion ! markers, you have built a complex logic engine that correctly manages malicious strings, scores conditions incrementally, and returns detailed security feedback without needing advanced coding languages.