Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters

javascript

regex

password-validation

security

byAlex Kataev·Nov 5, 2024

Here's a battle-tested JavaScript Regex for a password that throws all the punches: minimum eight characters, at least one number, an uppercase letter, a lowercase letter, and a special character.

/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W).{8,}$/

Explanation:

(?=.*\d) - the password must contain at least one digit. Math is hard, and so should your password.
(?=.*[a-z]) - the password must contain at least one lowercase letter.
(?=.*[A-Z]) - the password must contain at least one uppercase letter. The more casing, the merrier.
(?=.*\W) - the password must contain at least one special character. Be unique, like '@' or '!'.
.{8,} - the password must be at least eight characters long. Because you know, size matters.

Testing the strength of a password is as easy as:

const passwordStrength = /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W).{8,}$/.test('YourP@ss1');

passwordStrength will return true if the password complies. If it returns false, tell them to try again!

Beyond the basic strength check

Sure, the regex answer does the job. But, there’s a lot more to creating Hulk-strong passwords. Here’s how to go above & beyond.

Special characters feast or famine

Need to restrict special characters to a select few? Customize your regex by replacing \W with a range of your chosen characters.

For example:

(?=.*[@$!%*?&]) // your password must have special characters, but only the classy ones.

Length does matter

If you need to enforce a specific length range for the password, play around with the numbers in the curly braces ({}).

Some examples:

.{8,10} enforces a minimum length of 8 and a maximum length of 10. Because 11 is just showing off.
.{8,} enforces a minimum length of 8. The } says there's no upper limit. Sky's the limit, baby!

Forbidden fruits

Need to explicitly exclude some characters or categories? Use a negative lookahead (?!...).

Some examples:

(?!.*\W) - this makes sure your password is a pure alpha-numeric child. No special characters please!
(?!.*[0-9]) - you don't want any numbers here.

Pick and choose

You can also enforce that a password must contain a specific character at least once using a positive lookahead (?=...).

For example,

(?=.*_) // includes at least one underscore; '__' cause they're cooler.

Passwords for the God of Thunder

You can take your password validation further by considering personalized data and context, as well as avoiding common patterns.

Down with weak passwords

If you're up against common passwords, regex won't be enough. Store a list of banned passwords and check user input against it before running the regex.

User-focused validation

Passwords should ideally not be predictable from user details. Check the entered password against their username, or even their birthdate. Why make it easy for the bad guys?

Regex has its limits

While regular expressions are a useful tool for password validation, be aware of its limitations and pitfalls. Overly complex expressions can lead to shader malfunctions and confusing object labels in your applications.

More than regex

Beyond regex, consider other methods like two-factor authentication and password managers for extra security. And remember, the safest password is the one you can't remember. 👹

explain-codes / Javascript / Regex for password must contain at least eight characters, at least one number and both lower and uppercase letters and special characters

Linked

Is there a minlength validation attribute in HTML?



Cleansing User Passwords



Random string generation with upper case letters and digits



Is there a RegExp.escape function in JavaScript?



Java; String replace (school project)?



Are double and single quotes interchangeable in JavaScript?