Regex for Password Strength Validation
Test regex patterns for password strength requirements. Enforce uppercase, lowercase, digits, special characters, and minimum length.
Open Regex Tester →Password Strength Regex
A common strong password regex is
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$. This uses lookaheads to require at least one lowercase letter, one uppercase, one digit, and one special character, with a minimum length of 8. Each (?=.*X) is a lookahead that checks for the presence of X without consuming characters.Modern Password Guidelines
- NIST SP 800-63B: Recommends minimum 8 characters, checking against breached password databases, and NOT requiring complexity rules (uppercase, special chars) as they lead to predictable patterns.
- Length over complexity: A 16-character passphrase is stronger than an 8-character complex password. Encourage longer passwords instead of complex rules.
- Breached password check: Use the Have I Been Pwned API (k-anonymity model) to check if a password has been exposed in data breaches.
- Client + server: Use regex for instant client-side feedback, but always enforce rules server-side too.
// Strong password (8+ chars, upper, lower, digit, special)
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/
// Minimum 12 characters, any content
/^.{12,}$/
// At least one letter and one number, 8+
/^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/