Complex Password Validation Regex Pattern
• CronOS Team
regexpasswordvalidationtutorialsecuritylookahead
Need to generate a regex pattern?
Use CronOS to generate any regex pattern you wish with natural language. Simply describe what you need, and we'll create the perfect regex pattern for you. It's completely free!
Complex Password Validation Regex Pattern
A guide to validating complex passwords with regex: 8+ characters, 1 uppercase, 1 lowercase, 1 number, and 1 special character using lookaheads.
Pattern Breakdown
regex
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$
Components
| Component | Description | Matches |
|---|---|---|
^ | Start anchor | Ensures match from string start |
(?=.*[a-z]) | Positive lookahead | Must contain at least one lowercase letter |
(?=.*[A-Z]) | Positive lookahead | Must contain at least one uppercase letter |
(?=.*\d) | Positive lookahead | Must contain at least one digit |
(?=.*[@$!%*?&]) | Positive lookahead | Must contain at least one special character |
[A-Za-z\d@$!%*?&]{8,} | Main pattern | 8+ characters from allowed set |
$ | End anchor | Ensures match to string end |
Character Classes and Lookaheads
(?=.*[a-z])- Positive lookahead: asserts that lowercase letter exists somewhere(?=.*[A-Z])- Positive lookahead: asserts that uppercase letter exists somewhere(?=.*\d)- Positive lookahead: asserts that digit exists somewhere(?=.*[@$!%*?&])- Positive lookahead: asserts that special character exists.*- Matches any character (except newline) zero or more times[A-Za-z\d@$!%*?&]- Allowed characters: letters, digits, and specific special chars{8,}- Quantifier: 8 or more occurrences
Examples
Valid:
Password123!MyP@ssw0rdSecure$Pass1Complex#Pass2Str0ng!Pass
Invalid:
password123!(missing uppercase)PASSWORD123!(missing lowercase)Password!(missing digit)Password123(missing special character)Pass1!(too short, less than 8 characters)Password123!@#$(contains unallowed special characters like#)
Implementation
JavaScript
javascript
const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
passwordRegex.test('Password123!'); // true
passwordRegex.test('MyP@ssw0rd'); // true
passwordRegex.test('password123!'); // false (no uppercase)
passwordRegex.test('Pass1!'); // false (too short)
Python
python
import re
password_regex = r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$'
bool(re.match(password_regex, 'Password123!')) # True
bool(re.match(password_regex, 'MyP@ssw0rd')) # True
bool(re.match(password_regex, 'password123!')) # False (no uppercase)
Go
go
passwordRegex := regexp.MustCompile(`^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$`)
passwordRegex.MatchString("Password123!") // true
passwordRegex.MatchString("MyP@ssw0rd") // true
passwordRegex.MatchString("password123!") // false (no uppercase)
Limitations
- Limited special characters: Only allows
@$!%*?&- modify to include more if needed - No maximum length: Doesn't enforce upper limit (add
{8,50}for max 50 chars) - No unicode support: Only ASCII characters
- No common password check: Doesn't prevent weak passwords like
Password1! - Lookahead complexity: Can be slower for very long strings
When to Use
- Strong password requirements for user registration
- Security-sensitive applications
- When you need to enforce multiple character type requirements
- Client-side password strength validation
For production, consider:
- Adding maximum length:
{8,128} - Expanding allowed special characters:
[@$!%*?&#^+=] - Checking against common password lists
- Server-side validation (never trust client-side only)
- Password strength meters for better UX
Need to generate a regex pattern?
Use CronOS to generate any regex pattern you wish with natural language. Simply describe what you need, and we'll create the perfect regex pattern for you. It's completely free!