Regex for Password Strength Validation
Regex patterns for password strength validation using lookahead assertions. Check for minimum length, uppercase, lowercase, digits, and special characters.
Detailed Explanation
Password Strength Validation with Regex
Lookahead assertions are perfect for password validation because they can check multiple conditions independently without consuming characters.
Basic Requirements Pattern
Check that a password has at least 8 characters, one uppercase, one lowercase, and one digit:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$
Each lookahead checks one condition:
(?=.*[a-z])— at least one lowercase letter(?=.*[A-Z])— at least one uppercase letter(?=.*\d)— at least one digit.{8,}$— at least 8 characters total
Strong Password Pattern
Add special character requirement:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-={}\[\]:;"'<>?,./]).{12,}$
How Lookaheads Work Here
Each (?=.*X) starts from the beginning of the string (anchored by ^) and scans forward for at least one character matching X. Because lookaheads are zero-width, after each check the position resets and the next lookahead runs from the same starting point.
Negative Conditions
You can also use negative lookahead to forbid certain patterns:
^(?!.*\s)(?!.*(.)(.*\1){2}).{8,}$
(?!.*\s)— no whitespace allowed(?!.*(.).*\1.*\1)— no character repeated more than twice
Important Security Note
Client-side regex validation is a usability feature, not a security measure. Always enforce password policies server-side. Modern guidance (NIST SP 800-63B) recommends focusing on minimum length (8+) and checking against breached password lists rather than complex character requirements.
Use Case
You are building a registration form that needs real-time feedback on password strength, showing users which requirements they have met and which they still need to satisfy.