There seems to be a lot of confusion here. The answers I see so far don't correctly enforce the 1+ number/1+ lowercase/1+ uppercase rule, meaning that passwords like abc123, 123XYZ, or AB*&^# would still be accepted. Preventing all-lowercase, all-caps, or all-digits is not enough; you have to enforce the presence of at least one of each.
Try the following:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,15}$
If you also want to require at least one special character (which is probably a good idea), try this:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z]).{8,15}$
The .{8,15}
can be made more restrictive if you wish (for example, you could change it to \S{8,15}
to disallow whitespace), but remember that doing so will reduce the strength of your password scheme.
I've tested this pattern and it works as expected. Tested on ReFiddle here: http://refiddle.com/110
Edit: One small note, the easiest way to do this is with 3 separate regexes and the string's Length
property. It's also easier to read and maintain, so do it that way if you have the option. If this is for validation rules in markup, though, you're probably stuck with a single regex.
The regular expression you are after will most likely be huge and a nightmare to maintain especially for people who are not that familiar with regular expressions.
I think it would be easier to break your regex down and do it one bit at a time. It might take a bit more to do, but I am pretty sure that maintaining it and debugging it would be easier. This would also allow you to provide more directed error messages to your users (other than just Invalid Password
) which should improve user experience.
From what I am seeing you are pretty fluent in regex, so I would presume that giving you the regular expressions to do what you need would be futile.
Seeing your comment, this is how I would go about it:
Must be eight characters Long: You do not need a regex for this. Using the .Length
property should be enough.
Including one uppercase letter: You can use the [A-Z]+
regular expression. If the string contains at least one upper case letter, this regular expression will yield true
.
One special character: You can use either the \W
which will match any character which is not a letter or a number or else, you can use something like so [!@#]
to specify a custom list of special characters. Note though that characters such as $
, ^
, (
and )
are special characters in the regular expression language, so they need to be escaped like so: \$
. So in short, you might use the \W
.
Alphanumeric characters: Using the \w+
should match any letter and number and underscore.
Take a look at this tutorial for more information.
Best Answer
Perhaps a single regex could be used, but that makes it hard to give the user feedback for which rule they aren't following. A more traditional approach like this gives you feedback that you can use in the UI to tell the user what pwd rule is not being met: