regex pattern · ready to copy
Regex for validating strong passwords (8+ chars, mixed case, digit, symbol)
Enforce at-least-one rules via lookaheads. Practical floor, not a security guarantee.
intermediate
javascript / pcre / python4 use cases
The pattern
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*()_+\-=[\]{};':\"\\|,.<>/?]).{8,}$
Test cases
| Input | Result |
|---|---|
| Hunter2! | ✓matches |
| P@ssw0rd123 | ✓matches |
| MyDog$Loves2Run | ✓matches |
| password (no caps/digits/symbol) | ✗rejects |
| Sh0rt1! | ✗rejects |
| ALLCAPS123! | ✗rejects |
Edge cases & caveats
Length minimum (8) is the floor — NIST SP 800-63B recommends ≥12. Don't enforce specific symbol set without UX cost. Modern advice: drop complexity rules, just enforce length + breach-list check.
Common use cases
- signup validation
- password reset enforcement
- compliance audit
- service account provisioning
Try variations against your data
regexlab is a free in-browser tester with side-by-side match highlighting, group inspector, and named-capture export to JS/Python/PCRE.
Open regexlab
Related
hex color · url slug · iban · ipv6 address