Password Regex Example

Require uppercase, lowercase, number, symbol, and a minimum length for strong-password policies.

This password regex example enforces a commonly used complexity baseline for account creation and admin workflows. It requires at least one lowercase letter, one uppercase letter, one digit, one non-alphanumeric symbol, and a total length between 10 and 64 characters. The lookahead structure keeps each requirement explicit so the pattern is easier to review during security checks. This is useful for frontend feedback before submission and for backend policy validation when your system stores password hashes, not raw strings. Keep in mind that regex complexity rules do not replace broader security controls such as rate limiting, credential stuffing protection, and multi-factor authentication. If your policy differs, you can tune required character classes or length ranges and test coverage in the Regex Tester before deployment.

Pattern

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{10,64}$/
Test this regex in toolOpen Regex Tester workspace

Matches

S3cure#Pass2026
Cloud!Build9X
Qw7$LongEnough

Rejects

password123
SHORT1!
NoSymbols1234

FAQ

Do password regex rules guarantee account security?

No. They improve baseline quality but must be combined with hashing, MFA, and abuse protections.

Can I increase the minimum length?

Yes. Update the final quantifier to match your policy.

Should I show users which rule failed?

Yes. Clear rule-by-rule feedback improves completion rates and reduces frustration.

Related: Regex Tester & Generator, Text Diff Checker, JSON vs YAML guide.

Browse all patterns in the regex examples hub.

More regex examples

Email Regex Example - Validate common email-like strings with a practical pattern suitable for frontend form checks.

Phone Number Regex Example - Match normalized phone numbers with optional plus prefix and 7 to 15 digits.

URL Regex Example - Validate common HTTP/HTTPS URLs including optional ports, paths, and query fragments.

IPv4 Regex Example - Match IPv4 addresses with strict 0-255 octet validation for each of four segments.