RegEx for Password Complexity Validation

I often hear on-premises infrastructure described as ‘legacy’. When you consider the innovation, rate of change, advantages and proliferation of cloud technologies, then I guess it’s inevitable on-prem be thought of as the distant past. The problem I have with such branding is that on-prem isn’t going anywhere, anytime soon, and ignoring its continued significance is a dangerous game: the next few years will be dominated by hybrid infrastructure – a mixture of ‘legacy’ on-prem and ‘sky-breaking’ in-cloud. Let’s embrace and celebrate both.

What’s that brain burp got to do with this post? There’s a tenuous link: last week I attended some excellent, internal training on B2C. It’s REALLY cool stuff – Identity as a Service. Anyway, within the policies one has to create for this cloud technology, I found all sorts of examples of lovely, spiky RegEx. Tenuous, huh?

I’m going to share a couple of the more choice examples in this post and the next.

Want some RegEx to enforce passwords of 8-16 characters, ensuring they contain three out of four of the following conditions?

• Lowercase characters
• uppercase characters
• digits (0-9)
• and one or more of the following symbols: @ # $ % ^ & * – _ + = [ ] { } | \ : ‘ , ? / ` ~ ” ( ) ; .£


No problem… check out this bad-boy…



What’s going on?

(?=.*[a-z])(?=.*[A-Z])(?=.*\d)   …matches lower case, upper case or digit
(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])   …matches lower case, upper case or special character (i.e. non-alpha or digit)
(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches lower case, digit, or special character
(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches upper case, digit, or special character


The password must also match the following restrictions:

[A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:’,?/`~”();!]   …the list of all acceptable characters (without .)
\.(?!@)   …or . can appear as long as not followed by @
{8,16}   …the length must be between 8 and 16 chars inclusive



Now let’s test with PowerShell.



Comments (1)

  1. Rory Fewell says:

    Regex manages to be so good, but look so bad at the same time. I think to be honest it’s better to just craft password complexity regex stuff using live Javascript enabled debugging websites to gradually test it as you go along – it tends to be far easier than deciphering pre-written regex because the syntax is always really off-putting. 😛

Skip to main content