STAND WITH UKRAINE

Regex Pattern for Password Strength

Password strength validation with regex relies on a powerful but often misunderstood feature: lookahead assertions. Rather than consuming characters as they match, lookaheads scan ahead from the current position to verify a condition, then allow the main pattern to continue from the same starting position. This lets you independently verify multiple requirements in a single pass, which is exactly what you need to enforce "must contain an uppercase letter AND a digit AND a special character". The pattern in this example uses three positive lookaheads before the main character-count check: (?=.*[A-Z]) scans for at least one uppercase letter anywhere in the string, (?=.*[0-9]) requires at least one digit, and (?=.*[!@#$%^&*]) requires one character from the special character set. Finally, .{8,} ensures the total length is at least eight characters. Seven test cases demonstrate the rules: a fully compliant password (Passw0rd!), a lowercase-only password that fails the uppercase rule, a password missing the special character, a password missing uppercase, a password that meets all character requirements but is too short, a strong password meeting all rules, and a common weak pattern that fails despite being 11 characters long. The tester approach: you can either paste this combined pattern to test all rules at once, or split it into separate patterns and test them individually to show users which rules their candidate password currently satisfies. The second approach provides a better UX — as the user types, you show green checkmarks for satisfied rules and red X marks for unsatisfied ones. Real-world considerations: the NIST Digital Identity Guidelines (SP 800-63B) have evolved significantly and now recommend prioritizing password length over character complexity. Modern best practices favor long passphrases over complex but short passwords, and recommend checking against known breach lists rather than requiring special characters. That said, many compliance frameworks (PCI DSS, SOC 2) still mandate specific complexity rules. Tips for implementation: run each lookahead as a separate regex test and map results to UI indicators rather than showing a single pass/fail. Combine password strength checking with the Have I Been Pwned API to alert users when their chosen password has appeared in known data breaches. Never store passwords — store bcrypt or Argon2 hashes with an appropriate cost factor.

Example
/^(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*]).{8,}$/

# Test cases:
Passw0rd!
weakpass
NoSpecial1
nouppercase1!
Short1!
SecureP@ss42
password123
[ open in Regex Tester → ]

FAQ

What are lookahead assertions in regex?
Lookaheads like (?=.*[A-Z]) assert that a pattern exists somewhere ahead in the string without consuming characters, making them ideal for checking multiple independent conditions.
Should I use regex for all password validation?
Regex covers format rules well but cannot check against breached password lists. Combine regex validation with a check against Have I Been Pwned for better security.
How do I show users which password rules they have met?
Run each rule as a separate regex test and track which ones pass. Map each result to a visual indicator next to the corresponding rule description in your UI.

Related Examples

Regex Pattern for Email Validation

Email validation regex is simultaneously one of the most commonly written patter...

Regex Pattern for Phone Numbers

Phone number validation is notoriously difficult with regex because no single pa...

Regex Pattern for Date Formats

Date format validation is a two-step problem that developers often try to solve ...