Regular Expression for a Strong Password

This snippet shows a Regular Expression for a strong password.
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$
See also: http://p2p.wrox.com/topic.asp?TOPIC_ID=8753.

Where to Next?

Wonder where to go next? You can read existing comments below or you can post a comment yourself on this article .


Consider making a donation
Please consider making a donation using PayPal. Your donation helps me to pay the bills so I can keep running Imar.Spaanjaars.Com, providing fresh content as often as possible.



Feedback by Other Visitors of Imar.Spaanjaars.Com

On Monday, November 20, 2006 10:04:51 AM s.syed abdul kather said:
sir,
        1. can you tell me what is the difference between combobox and textbox
        
On Monday, November 20, 2006 11:38:07 AM Imar Spaanjaars said:
Hi s.syed,

How is this related to the original topic of regular expressions for a password??

Imar
On Thursday, June 28, 2007 6:50:49 PM Julie said:
Here is a regex if you want this criteria:
Passwords will contain at least (1) upper case letter
Passwords will contain at least (1) lower case letter
Passwords will contain at least (1) number or special character
Passwords will contain at least (8) characters in length
Password maximum length should not be arbitrarily limited

(?=^.{8,}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$
On Wednesday, September 17, 2008 11:39:31 AM jignesh kadvani said:
How to Generate Downloader . for example i want to download a this programs source code zip file then how to do that.. can you provide a code for that.
On Wednesday, September 17, 2008 5:03:27 PM Imar Spaanjaars said:
Hi jignesh ,

How is this related to the original topic of regular expressions for a password??

Imar
On Wednesday, September 17, 2008 5:22:19 PM Imar Spaanjaars said:
----- The following addresses had permanent fatal errors -----
[jignnesh_kadvani@yahoo.com]
    (reason: 554 delivery error: dd This user doesn't have a yahoo.com account (jignnesh_kadvani@yahoo.com) [0] - mta325.mail.re4.yahoo.com)


Sigh.... Not only do you ask off-topic questions, you cannot even write your own e-mail address correctly. Why do you even bother posting here then and waste everybody's time?
On Tuesday, January 06, 2009 2:56:51 PM Bjorn van der Neut said:
Is it possible the following:

Password must contain at least two of the following groups:
- Small letters (a-z)
- Capital letters (A-Z)
- Numbers (0-9)
- Strange charakters (!@#$%^&*_+-/)

I only can find regex's that do and, and, and ...
Hope to here from you all

Bjorn
On Tuesday, January 06, 2009 7:55:17 PM Imar Spaanjaars said:
Hi Bjorn,

I am sure it must be possible; I just don't have one laying around.... Sorry.

Imar
On Thursday, October 15, 2009 3:23:02 AM Joe Coyne said:
Imar,

Sorry you had a bunch of lame posters!  I wanted to know that I did search in google for "strong password regex" (or something like that).  You were the first it, and your regex criteria was perfect.  You saved me at least three days worth of work.  Don't worry, it's not a commercial application, and THANK YOU!
On Friday, May 21, 2010 7:50:43 AM Bobble Heads UK said:
This doesnt seem to work for passwords that repeat the same phrase even though they are technically valid.

for eg: L00pL00p despite the fact it has small + cap + numbers
On Friday, May 21, 2010 8:55:13 PM Imar Spaanjaars said:
Hi there,

Can you define does not work? Is it considered stong, but you want it to be weak or the other way around? What environment are you using?

In .NET this:

bool IsMatch1 = Regex.IsMatch("L00pL00p ", @"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).*$");

leads to true....
On Friday, May 21, 2010 11:06:07 PM Bobble Heads UK said:
Sorry I was trying this with javascript which seemed to cause my issues. In .net it worked absolutely fine. :)
On Sunday, January 30, 2011 12:26:02 PM cherryaa said:
Thanks for this, I tried loads that matched when they shouldn't!  This does actually work, folks :)
On Tuesday, February 15, 2011 3:18:03 AM Charles N said:
Very good
On Friday, February 18, 2011 12:57:20 AM Spent A Day said:
Nice! Thank you, works as advertised!
On Saturday, April 16, 2011 7:26:52 PM Sean said:
I don't understand the .* at the end... doesn't that allow someone to append anything at all at the end of the string? I've also seen versions of password regexes that use the .* at both the beginning and end of the string. Can you please explain this?
On Sunday, April 17, 2011 3:11:05 AM Imar Spaanjaars said:
Hi Sean,

Yes, the dot asterisk at the end means you can add pretty much anything to the already strong password. That's not bad is it? If the first part is already strong, it's OK if I append aaaaa to it, no?

Imar
On Sunday, April 17, 2011 6:28:15 AM Sean said:
In the regex being used here could you append whitespace chars?
On Sunday, April 17, 2011 6:50:19 AM Imar Spaanjaars said:
Hi Sean,

The best way to find out is to try it out ;-)

But yes, I think it does. .* means "anything exept a line break, zero or more occurrences".

Cheers,

Imar
On Monday, January 23, 2012 9:06:41 PM Ramon Del Valle said:
Found a great post that kinda helps break down the process to create it yourself here:(why use a pre-baked regex unless your just to lazy to put in the time to get the result you want.)
http://www.zorched.net/2009/05/08/password-strength-validation-with-regular-expressions/
On Monday, January 23, 2012 9:18:09 PM Ramon Del Valle said:
@ Author: Forgot to say thanks for the post. No pun intended.
On Monday, January 23, 2012 9:23:25 PM Ramon Del Valle said:
Came up with:

^(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d])(?=.*[\W]).*$

-8 characters in length.
-At least 1 special
-At least 1 digit
-At least 1 upper
-At least 1 lower

On Wednesday, May 07, 2014 10:35:36 AM Jef said:
Hello Imar,

Your regex works like a sharm but the first character of the password may not be a digit.  So I added this (^[a-zA-Z]{1}*$]) in your solution. As result nothing goes, no valid passwords.

Can you help me out?

Thanks
On Wednesday, May 07, 2014 6:44:32 PM Imar Spaanjaars said:
Hi Jef,

You should drop the ^ and $ as the mark the start and end of the expression.

Cheers,

Imar
On Thursday, January 07, 2016 2:04:51 PM Aman Saxena said:
I want a expression for password containing a alphabet and numeric value and it donot contain any special character and must be of even length.

Talk Back! Comment on Imar.Spaanjaars.Com

I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.

When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.

If you want to object to a comment made by another visitor, be sure to contact me and I'll look into it ASAP. Don't forget to mention the page link, or the QuickDocId of the document.

For more information about the Talk Back feature, check out this news item.