Regex for Password Strength — Pattern Explained with Examples
This regex validates password strength by enforcing multiple character class requirements using lookahead assertions. It ensures the password contains at least one lowercase letter, one uppercase letter, one digit, one special character, and is at least 8 characters long. This pattern is a standard baseline for security-conscious authentication systems.
The Pattern
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]).{8,}$/Pattern Breakdown
| Part | Meaning |
|---|---|
^ | Start of string |
(?=.*[a-z]) | Lookahead: at least one lowercase letter |
(?=.*[A-Z]) | Lookahead: at least one uppercase letter |
(?=.*\d) | Lookahead: at least one digit |
(?=.*[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]) | Lookahead: at least one special character |
.{8,} | At least 8 characters (any character) |
$ | End of string |
Matches
Password1!Str0ng#PassMyP@ssw0rd1Secure$PassAbcd1234!P@ssw0rd!
Does NOT Match
weak— too short and no uppercase, digit, or special charpassword— all lowercase, no varietyALLCAPS123— no lowercase or special charlowercase1!— no uppercaseNoDigits!!— no digitShort1!— only 7 charactersabcdefgh— no uppercase, digit, or special char
Language Examples
JavaScript
const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]).{8,}$/;
console.log(passwordRegex.test('Password1!')); // true
console.log(passwordRegex.test('weak')); // false
console.log(passwordRegex.test('SHORT1!a')); // true (8 chars)
// Provide user feedback
function checkPasswordStrength(password) {
const checks = {
length: password.length >= 8,
lowercase: /[a-z]/.test(password),
uppercase: /[A-Z]/.test(password),
digit: /\d/.test(password),
special: /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password),
};
return checks;
}Python
import re
password_regex = r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=\[\]{};:\'"\\|,.<>\/?]).{8,}$'
print(bool(re.match(password_regex, 'Password1!'))) # True
print(bool(re.match(password_regex, 'weak'))) # False
# Provide user feedback
def check_password_strength(password):
return {
'length': len(password) >= 8,
'lowercase': bool(re.search(r'[a-z]', password)),
'uppercase': bool(re.search(r'[A-Z]', password)),
'digit': bool(re.search(r'\d', password)),
'special': bool(re.search(r'[!@#$%^&*()_+\-=\[\]{};:\'"\\|,.<>\/?]', password)),
}
print(check_password_strength('Password1!'))Common Pitfalls
Lookaheads don’t consume characters — Each
(?=...)checks for a condition without consuming input. The final.{8,}is what actually matches the content. Without it, the lookaheads would validate but match zero characters.Special character definition varies — Different systems include different sets of special characters. The set
[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]is common but may need adjustment. Avoid including characters that cause issues in URL encoding or storage.Length minimum — 8 characters is the industry minimum (NIST SP 800-63). Consider requiring 12 or more for high-security applications. Note that the
{8,}only checks character count, not complexity distribution.Common passwords pass regex but are weak —
Password1!passes this regex but is a commonly used, easily guessed password. Combine regex validation with a password dictionary check for better security.
Real-World Use Cases
- User registration — Enforcing minimum password complexity requirements during sign-up
- Password change flows — Validating new passwords meet security policies in account settings
- Admin user management — Enforcing organizational security policies for employee accounts
FAQ
Related Patterns
- Regex for Username/Slug
- Regex for Hex Color Codes
- Regex for File Extension
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro