What Is a Good Regex for Strong Password Validation?
Pattern: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$. This regex enforces a minimum password strength by requiring at least one lowercase letter, one uppercase letter, one digit, one special character, and a minimum length of 8 characters. While widely used, modern security guidance (NIST SP 800-63B) recommends prioritizing password length over complexity rules.
Breaking Down the Pattern
| Part | Meaning |
|---|---|
^ | Start of string |
(?=.*[a-z]) | Lookahead: at least one lowercase letter |
(?=.*[A-Z]) | Lookahead: at least one uppercase letter |
(?=.*\d) | Lookahead: at least one digit |
(?=.*[@$!%*?&]) | Lookahead: at least one special character |
[A-Za-z\d@$!%*?&]{8,}$ | At least 8 characters from the allowed set |
Test Cases
| Input | Match? | Note |
|---|---|---|
MyP@ssw0rd | Yes | Valid format |
Str0ng!Pass | Yes | Valid format |
C0mpl3x&Pw | Yes | Valid format |
weakpassword | No | No uppercase, digit, or special character |
Short1! | No | Only 7 characters (minimum is 8) |
Usage Examples
JavaScript
const pattern = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
pattern.test('MyP@ssw0rd'); // true
pattern.test('weakpassword'); // falsePython
import re
pattern = r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$'
bool(re.match(pattern, 'MyP@ssw0rd')) # True
bool(re.match(pattern, 'weakpassword')) # FalseCommon Pitfalls
- Overly strict password rules can reduce security by making passwords harder to remember, leading to reuse.
- NIST SP 800-63B recommends focusing on length (12+ chars) over complexity rules.
- Never rely on client-side regex alone -- always validate on the server.
- Consider allowing passphrases: "correct horse battery staple" is stronger than "P@ssw0rd!".
Try It Yourself
Test this regex with our Regex Tester.
Frequently Asked Questions
Are complex password rules actually more secure?
Not necessarily. NIST research shows that complexity rules (uppercase, special chars, etc.) often lead users to create predictable patterns like "Password1!" or write passwords down. Length is a stronger factor -- a 16-character passphrase is more secure than an 8-character complex password.
What minimum password length should I enforce?
NIST recommends a minimum of 8 characters, with 12-16 being ideal. The maximum should be at least 64 characters to allow passphrases. Never truncate passwords silently.
Should I check passwords against breach databases?
Yes. Services like Have I Been Pwned offer an API to check if a password has appeared in known data breaches. This is more effective than complexity rules.