Regex Password Validation — Strong Password Patterns

Password validation regex uses lookaheads to independently enforce each rule without caring about order. For example, (?=.*[A-Z]) asserts that at least one uppercase letter appears somewhere in the string — regardless of position.

4 Password Validation Patterns

Minimum 8 characters

/.{8,}/

Valid

password

12345678

abcd1234

Invalid

short

1234567

The most basic requirement — at least 8 characters of any type.

Uppercase + lowercase + digit (min 8)

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/

Valid

Password1

Hello123

Abc12345

Invalid

password1

PASSWORD1

Password

Requires at least one lowercase letter, one uppercase letter, and one digit.

Strong: upper + lower + digit + special (min 8)

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=]).{8,}$/

Valid

Password1!

Hello@123

Str0ng#Pass

Invalid

Password1

hello@123

HELLO@123

Enforces all four character classes: uppercase, lowercase, digit, special character.

Very strong (min 12, all classes)

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=]).{12,}$/

Valid

VeryStr0ng!Pass

MyP@ssw0rd123

Invalid

Short1!

Password1!

Minimum 12 characters with all four character classes. Recommended for high-security systems.

Code Examples

JavaScript

// Strong password: 8+ chars, upper, lower, digit, special
const strongPassword = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=]).{8,}$/;

function validatePassword(password) {
  return {
    valid: strongPassword.test(password),
    minLength: password.length >= 8,
    hasUppercase: /[A-Z]/.test(password),
    hasLowercase: /[a-z]/.test(password),
    hasDigit: /\d/.test(password),
    hasSpecial: /[!@#$%^&*()_+\-=]/.test(password),
  };
}

console.log(validatePassword("Hello@123"));
// { valid: true, minLength: true, hasUppercase: true, ... }

Python

import re

def validate_password(password):
    checks = {
        "min_length": len(password) >= 8,
        "has_uppercase": bool(re.search(r'[A-Z]', password)),
        "has_lowercase": bool(re.search(r'[a-z]', password)),
        "has_digit": bool(re.search(r'\d', password)),
        "has_special": bool(re.search(r'[!@#$%^&*()_+\-=]', password)),
    }
    checks["valid"] = all(checks.values())
    return checks

print(validate_password("Hello@123"))
# {'min_length': True, 'has_uppercase': True, ..., 'valid': True}

Test Your Pattern Online

Regex TesterTest your password regex liveOpen Regex Tester →Random String GeneratorGenerate strong test passwordsOpen Random String Generator →Hash GeneratorHash passwords with SHA-256 / MD5Open Hash Generator →

Related Guides

Frequently Asked Questions

What makes a regex password validator strong?

Lookaheads ((?=...)) let you enforce multiple independent rules. Combine minimum length with character class requirements without caring about order.

Should I validate passwords with regex or a library?

For basic validation, regex works well. For advanced strength scoring (like zxcvbn), use a dedicated library.

What is a lookahead in regex?

A lookahead (?=...) asserts that a pattern matches ahead of the current position without consuming characters. (?=.*[A-Z]) means 'at least one uppercase letter exists somewhere.'

All tools run in your browser. Your data never leaves your device.