Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters

Minimum eight characters, at least one letter and one number:

"^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$"

Minimum eight characters, at least one letter, one number and one special character:

"^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$"

Minimum eight characters, at least one uppercase letter, one lowercase letter and one number:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$"

Minimum eight characters, at least one uppercase letter, one lowercase letter, one number and one special character:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$"

Minimum eight and maximum 10 characters, at least one uppercase letter, one lowercase letter, one number and one special character:

"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,10}$"

You may use this regex with multiple lookahead assertions (conditions):

^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$

This regex will enforce these rules:

• At least one upper case English letter, (?=.*?[A-Z])
• At least one lower case English letter, (?=.*?[a-z])
• At least one digit, (?=.*?[0-9])
• At least one special character, (?=.*?[#?!@$%^&*-])
• Minimum eight in length .{8,} (with the anchors)

Regular expressions don't have an AND operator, so it's pretty hard to write a regex that matches valid passwords, when validity is defined by something AND something else AND something else...

But, regular expressions do have an OR operator, so just apply DeMorgan's theorem, and write a regex that matches invalid passwords:

Anything with less than eight characters OR anything with no numbers OR anything with no uppercase OR or anything with no lowercase OR anything with no special characters.

So:

^(.{0,7}|[^0-9]*|[^A-Z]*|[^a-z]*|[a-zA-Z0-9]*)$

If anything matches that, then it's an invalid password.

The following 4 regex patterns can help you to write almost any password validation.

Pattern 1:

Password must contain one digit from 1 to 9, one lowercase letter, one uppercase letter, one special character, no space, and it must be 8-16 characters long.

^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*\W)(?!.* ).{8,16}$

Explanation:

• (?=.*[0-9]) means that the password must contain a single digit from 1 to 9.
• (?=.*[a-z]) means that the password must contain one lowercase letter.
• (?=.*[A-Z]) means that the password must contain one uppercase letter.
• (?=.*\W) means that the password must contain one special character.
• .{8,16} means that the password must be 8-16 characters long. We must use this at the end of the regex, just before the $ symbol.

^ indicates the beginning of the string. $ indicates the end of the string. If we don't use these ^ & $, the regex will not be able to determine the maximum length of the password. In the above example, we have a condition that the password can't be longer than 16 characters, to make that condition work, we have used these ^ & $.

Remove maximum length restriction: instead of .{8,16}, if we used .{8,}, it would mean that the password must be at least 8 characters long. So, there will not be any condition for checking the maximum length of the password.

Don't accept any number(digit): instead of (?=.*[0-9]), if we used (?!.*[0-9]), it would mean that the password must not contain any digit from 1-9 (Difference with the (?=.*[0-9]) is the use of ! instead of =)

Don't accept any spcecial character: instead of (?=.*\W), if we used (?!.*\W), it would mean that the password must not contain any special characters (The difference with the (?=.*\W) is the use of ! instead of =)

Alternative Syntax for number(digit): instead of (?=.*[0-9]), we could have used (?=.*\d). (?=.*\d) also means that the password must contain a single digit from 1 to 9.

Pattern 2:

Password must contain one digit from 1 to 9, one lowercase letter, one uppercase letter, one underscore but no other special character, no space and it must be 8-16 characters long.

^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*_)(?!.*\W)(?!.* ).{8,16}$

Difference with the Pattern 1

• Here, we have used (?=.*_) which wasn't on the Pattern 1.
• (?=.*_)(?!.*\W) means that the password must contain an underscore but can not contain any other special character.

Pattern 3:

Password must contain one digit from 1 to 9, one lowercase letter, one uppercase letter, one underscore, no space and it must be 8-16 characters long. Usage of any other special character other than underscore is optional.

^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*_)(?!.* ).{8,16}$

Difference with the Pattern 2

• Here, we have not used (?!.*\W) what was on the Pattern 2.
• But it still has the (?=.*_)
• By just removing the (?!.*\W), special characters have become optional. Now, one underscore is required but any other special character can be used or not as it's optional.

Pattern 4:

Password must contain one digit from 1 to 9, one lowercase letter, one uppercase letter, and one underscore, and it must be 8-16 characters long. Usage of any other special character and usage of space is optional.

^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).{8,16}$

Difference with the Pattern 3

• Here, we have not used (?=.*_) & (?!.* ) which was on the Pattern 3.
• By removing (?=.*_), it's no longer mandatory to pass one underscore. Now, passing special characters is optional.
• By removing the (?!.* ), usage of space has become optional too.

Use the following Regex to satisfy the below conditions:

Conditions:

1. Min 1 uppercase letter.
2. Min 1 lowercase letter.
3. Min 1 special character.
4. Min 1 number.
5. Min 8 characters.
6. Max 30 characters.

Regex:

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[#$@!%&*?])[A-Za-z\d#$@!%&*?]{8,30}$/

Just a small improvement for @anubhava's answer: Since special character are limited to the ones in the keyboard, use this for any special character:

^(?=.*?[A-Z])(?=(.*[a-z]){1,})(?=(.*[\d]){1,})(?=(.*[\W]){1,})(?!.*\s).{8,}$

This regex will enforce these rules:

• At least one upper case English letter
• At least one lower case English letter
• At least one digit
• At least one special character
• Minimum eight in length

I had some difficulty following the most popular answer for my circumstances. For example, my validation was failing with characters such as ; or [. I was not interested in white-listing my special characters, so I instead leveraged [^\w\s] as a test - simply put - match non word characters (including numeric) and non white space characters. To summarize, here is what worked for me...

• at least 8 characters
• at least 1 numeric character
• at least 1 lowercase letter
• at least 1 uppercase letter
• at least 1 special character

/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[^\w\s]).{8,}$/

JSFiddle Link - simple demo covering various cases

A more "generic" version(?), allowing none English letters as special characters.

^(?=\S*[a-z])(?=\S*[A-Z])(?=\S*\d)(?=\S*[^\w\s])\S{8,}$

var pwdList = [
    '@@V4-\3Z`zTzM{>k',
    '12qw!"QW12',
    '123qweASD!"#',
    '1qA!"#$%&',
    'Günther32',
    '123456789',
    'qweASD123',
    'qweqQWEQWEqw',
    '12qwAS!'
  ],
  re = /^(?=\S*[a-z])(?=\S*[A-Z])(?=\S*\d)(?=\S*[^\w\s])\S{8,}$/;
  
  pwdList.forEach(function (pw) {
    document.write('<span style="color:'+ (re.test(pw) ? 'green':'red') + '">' + pw + '</span><br/>');
  });

Import the JavaScript file jquery.validate.min.js.

You can use this method:

$.validator.addMethod("pwcheck", function (value) {
    return /[\@\#\$\%\^\&\*\(\)\_\+\!]/.test(value) && /[a-z]/.test(value) && /[0-9]/.test(value) && /[A-Z]/.test(value)
});

1. At least one upper case English letter
2. At least one lower case English letter
3. At least one digit
4. At least one special character

For standard password requirements I found this to be useful:-

• At least 1 alphabet.

• At least 1 digit.

• Contains no space.

• Optional special characters e.g. @$!%*#?&^_-

• Minimum 8 characters long.

  ^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d@$!%*#?&^_-]{8,}$

You can also set the upper limit for example {8,32} up to 32 characters long.

This worked for me:

^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&])([a-zA-Z0-9@$!%*?&]{8,})$

• At least 8 characters long;
• One lowercase, one uppercase, one number and one special character;
• No whitespaces.

Try this one:

1. Minimum six characters
2. At least one uppercase character
3. At least one lowercase character
4. At least one special character

Expression:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[$@$!%*?&.])[A-Za-z\d$@$!%*?&.]{6, 20}

Optional Special Characters:

1. At least one special character
2. At least one number
3. Special characters are optional
4. Minimum six characters and maximum 16 characters

Expression:

^(?=.*\d)(?=.*[a-zA-Z]).{6,20}$

If the min and max condition is not required then remove .{6, 16}

• 6 is minimum character limit
• 20 is maximum character limit
• ?= means match expression

Does it really have to be a regex?

I used to do lots of Perl, and got used to solving problems with regexes. However, when they get more complicated with all the look-aheads and other quirks, you need to write dozens of unit tests to kill all those little bugs.

Furthermore, a regex is typically a few times slower than an imperative or a functional solution.

For example, the following (not very FP) Scala function solves the original question about three times faster than the regex of the most popular answer. What it does is also so clear that you don't need a unit test at all:

def validatePassword(password: String): Boolean = {
  if (password.length < 8)
    return false

  var lower = false
  var upper = false
  var numbers = false
  var special = false

  password.foreach { c =>
    if (c.isDigit)       numbers = true
    else if (c.isLower)  lower = true
    else if (c.isUpper)  upper = true
    else                 special = true
  }

  lower && upper && numbers && special
}

What about considering the following regex solution:

^(?=.*[\w])(?=.*[\W])[\w\W]{8,}$

Which validates the following:

1. At least one lowercase
2. At least one uppercase
3. At least one digit
4. At least one special character
5. At least it should have 8 characters long.

Check it out working at the following link https://regex101.com/r/qPmC06/4/

For a more strict validation where the following is required:

1. At least One Upper Case Character
2. At least one Lower Case character
3. At least one digit
4. At least one symbol/special character @$!%*#?&^_-
5. Minimum 8 characters/digits

Regex:

(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*#?&^_-]).{8,}

^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[!@#$%^&*()_+,.\\\/;':"-]).{8,}$
    

Another option is to make use of contrast in the lookahead assertions using a negated character class, optionally matching any character except that is listed before matching the character that should be matched.

^(?=[^A-Z\n]*[A-Z])(?=[^a-z\n]*[a-z])(?=[^0-9\n]*[0-9])(?=[^#?!@$%^&*\n-]*[#?!@$%^&*-]).{8,}$

See a regex demo

In parts, the pattern matches:

• ^ Start of string
• (?=[^A-Z\n]*[A-Z]) Positive lookahead, assert 0+ times any char except A-Z or a newline. Then match a char A-Z
• (?=[^a-z\n]*[a-z]) The same approach for a char a-z
• (?=[^0-9\n]*[0-9]) The same approach for a digit 0-9
• (?=[^#?!@$%^&*\n-]*[#?!@$%^&*-]) The same approach for a char that you would consider special
• .{8,} Match 8 or more times any character except a newline
• $ End of string

Notes

• A dot can also match a space. If you do not want to allow matching a space, then .{8,} can be changed to \S{8,} to match 8 or more non whitespace characters
• Using either . or \S can match more characters than are specified in the lookahead assertions. If you only want to match the characters that are used in the assertions, you can change .{8,} to match only the allowed characters [#?!@$%^&*A-Za-z0-9-]{8,} using a character class

const regex = /^(?=[^A-Z\n]*[A-Z])(?=[^a-z\n]*[a-z])(?=[^0-9\n]*[0-9])(?=[^#?!@$%^&*\n-]*[#?!@$%^&*-]).{8,}$/;
[
  "abcA1#!A",
  "#!asdfSFD1;",
  "# a f F1 ;",
  "1111111111",
  "aaaaaaaa",
  "11111111",
  "AAAAAAAA",
  "########",
  "aA1#"
].forEach(s =>
  console.log(regex.test(s) ? `Match --> ${s}` : `No match --> ${s}`)
);

Keep it simple stupid:

This should do the trick for you, always.

Regex: ^(.{0,7}|[^a-z]{1,}|[^A-Z]{1,}|[^\d]{1,}|[^\W]{1,})$|[\s]

If your password matches the regex above, it is invalid.

If there's no match, your password is valid and contains has at least 8 characters, one upper case letter, one lower case letter and one symbol or special character. And it also contains no spaces, tabs or line breaks.

Breakdown of Regex

1. .{0,7} - matches if password has between 0 to 7 characters.
2. [^a-z]{1,} - matches if no lower case is found
3. [^A-Z]{1,} - matches if no upper case is found
4. [^\d]{1,} - matches if no number (between [0-9]) is found
5. [\s] - matches if a white space, tab or line break is found.

With this approach there's no limit or restriction in terms of symbols allowed. If you want to limit to few symbols allowable, just change [^\W] with [^YourSymbols].

This is what worked for me:

(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[@$!%*#?~(&)+=^_-]).{8,}

^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$

this the simple way to use it to validate atleast 1 uppercase, 1 lowercase and 1 number

and this is the example I used in express validation

check('password')
    .notEmpty()
    .withMessage('Password cannot be null')
    .bail()
    .isLength({ min: 6 })
    .withMessage('Password must be at least 6 characters')
    .bail()
    .matches(/^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*$/)
    .withMessage(
      'Must have atleast 1 uppercase, 1 lowercase letter and 1 number'
    ),

I've found many problems here, so I made my own.

Here it is in all it's glory, with tests:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*([^a-zA-Z\d\s])).{9,}$

https://regex101.com/r/DCRR65/4/tests

Things to look out for:

1. doesn't use \w because that includes _, which I'm testing for.
2. I've had lots of troubles matching symbols, without matching the end of the line.
3. Doesn't specify symbols specifically, this is also because different locales may have different symbols on their keyboards that they may want to use.

Testing this one in 2020:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$

Verify yourself

const regex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const str = `some12*Nuts`;
let m;

if ((m = regex.exec(str)) !== null) {
    // The result can be accessed through the `m`-variable.
    m.forEach((match, groupIndex) => {
        console.log(`Found match, group ${groupIndex}: ${match}`);
    });
}

I would use:

^(?=.*?[a-z])(?=.*?[A-Z])(?=.*?\d)(?=.*?[\W_]).{8,}$

Most of the answers assume that you use one of their predefined special characters, but I would say it is better, if any special character can be used, if it is not a-zA-Z0-9, so you could write: [^a-zA-Z0-9], but it is shorter to use "Not Word": \W which is equivalent to: [^a-zA-Z0-9_] - but of course you want the underscore _ to be seen as special char, so simple add it, then you end with: [\W_]

A very nice and helpful tool to build your personal regex, modify or test existing ones is regex101: https://regex101.com

@ClasG has already suggested:

^(?=\S*[a-z])(?=\S*[A-Z])(?=\S*\d)(?=\S*[^\w\s])\S{8,}$

but it does not accept _(underscore) as a special character (eg. Aa12345_).

An improved one is:

^(?=\S*[a-z])(?=\S*[A-Z])(?=\S*\d)(?=\S*([^\w\s]|[_]))\S{8,}$

Demo:

function password_check() {
  pass = document.getElementById("password").value;
  console.log(pass);
  regex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
  if (regex.exec(pass) == null) {
    alert('invalid password!')
  }
  else {
    console.log("valid");
  }
}

<input type="text" id="password" value="Sample@1">
<input type="button" id="submit" onclick="password_check()" value="submit">

var strongRegex = new RegExp("^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#\$%\^&\*])(?=.{8,})");
var mediumRegex = new RegExp("^(((?=.*[a-z])(?=.*[A-Z]))|((?=.*[a-z])(?=.*[0-9]))|((?=.*[A-Z])(?=.*[0-9])))(?=.{6,})");

Best For javascript

(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+-]).{6}

According to your need this pattern should work just fine. Try this,

^(?=(.*\d){1})(.*\S)(?=.*[a-zA-Z\S])[0-9a-zA-Z\S]{8,}

Just create a string variable, assign the pattern, and create a boolean method which returns true if the pattern is correct, else false.

Sample:

String pattern = "^(?=(.*\d){1})(.*\S)(?=.*[a-zA-Z\S])[0-9a-zA-Z\S]{8,}";
String password_string = "Type the password here"

private boolean isValidPassword(String password_string) {
    return password_string.matches(Constants.passwordPattern);
}

Just we can do this by using HTML5.

Use below code in pattern attribute,

pattern="(?=^.{8,}$)((?=.*\d)(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$"

It will work perfectly.

If you do not like to use regex. So this module helps a lot: https://www.npmjs.com/package/password-validator

var passwordValidator = require('password-validator');
 
// Create a schema
var schema = new passwordValidator();
 
// Add properties to it
schema
.is().min(8)                                    // Minimum length 8
.is().max(100)                                  // Maximum length 100
.has().uppercase()                              // Must have uppercase letters
.has().lowercase()                              // Must have lowercase letters
.has().digits(2)                                // Must have at least 2 digits
.has().not().spaces()                           // Should not have spaces
.is().not().oneOf(['Passw0rd', 'Password123']); // Blacklist these values
 
// Validate against a password string
console.log(schema.validate('validPASS123'));
// => true
console.log(schema.validate('invalidPASS'));
// => false