Minimum eight characters, at least one letter and one number:
"^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$"
Minimum eight characters, at least one letter, one number and one special character:
"^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$"
Minimum eight characters, at least one uppercase letter, one lowercase letter and one number:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$"
Minimum eight characters, at least one uppercase letter, one lowercase letter, one number and one special character:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$"
Minimum eight and maximum 10 characters, at least one uppercase letter, one lowercase letter, one number and one special character:
"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,10}$"
Top comments (1)
I think this isn't a good approach.
People often complain that regular expressions are difficult to read, whereas I often come down on the other side, saying that they can be quite readable and suitable for a lot of tasks.
I don't think these are readable - and hence not debuggable. You'll need extensive test cases. Regex are not great at password strength type rules because of the way elements are optional at any position. In turn, differences between regex implementations make these less portable than you'd hope: what works in Javascript might not work in Perl, and you're faced with a difficult conversion process.
I think this sort of thing is better served by being built from explicit functions (which could themselves use regex):
Totally ignoring whether password strength rules such as this are the "right" choice, when the client turns around and says they need uppercase characters to include those with accents, or that they need to have at least TWO special characters in them, you're going to have a hard time maintaining the regex.