RegEx for Password Complexity Validation

I often hear on-premises infrastructure described as 'legacy'. When you consider the innovation, rate of change, advantages and proliferation of cloud technologies, then I guess it's inevitable on-prem be thought of as the distant past. The problem I have with such branding is that on-prem isn't going anywhere, anytime soon, and ignoring its continued significance is a dangerous game: the next few years will be dominated by hybrid infrastructure - a mixture of 'legacy' on-prem and 'sky-breaking' in-cloud. Let's embrace and celebrate both.

What's that brain burp got to do with this post? There's a tenuous link: last week I attended some excellent, internal training on B2C. It's REALLY cool stuff - Identity as a Service. Anyway, within the policies one has to create for this cloud technology, I found all sorts of examples of lovely, spiky RegEx. Tenuous, huh?

I'm going to share a couple of the more choice examples in this post and the next.

Want some RegEx to enforce passwords of 8-16 characters, ensuring they contain three out of four of the following conditions?

• Lowercase characters
• uppercase characters
• digits (0-9)
• and one or more of the following symbols: @ # $ % ^ & * - _ + = [ ] { } | \ : ' , ? / ` ~ " ( ) ; .£


No problem… check out this bad-boy…



What's going on?

(?=.*[a-z])(?=.*[A-Z])(?=.*\d)   …matches lower case, upper case or digit
(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])   …matches lower case, upper case or special character (i.e. non-alpha or digit)
(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches lower case, digit, or special character
(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9])   …matches upper case, digit, or special character


The password must also match the following restrictions:

[A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:',?/`~"();!]   …the list of all acceptable characters (without .)
\.(?!@)   …or . can appear as long as not followed by @
{8,16}   …the length must be between 8 and 16 chars inclusive



Now let's test with PowerShell.



Comments (3)

  1. Rory Fewell says:

    Regex manages to be so good, but look so bad at the same time. I think to be honest it’s better to just craft password complexity regex stuff using live Javascript enabled debugging websites to gradually test it as you go along – it tends to be far easier than deciphering pre-written regex because the syntax is always really off-putting. 😛

  2. Uzma Sulthana says:

    once execute the above Script I met with an error as mention below

    parsing “^((?=.*[a-z])(?=.*[A-Z])(?=.*\d)|(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z0-9])|(?=.*[a-z])(?=.*\d)(?=.*[^A-Za-z0-9])|(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]
    )([A-Za-z\d@#$%^&£*\-_+=[\]{}|\\:’,?/~();!]|\.(?!@){8,16}$ ” – Not enough )’s.
    At line:1 char:1
    + $password -cmatch $RegExp
    + ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException

    1. Neil Cole says:

      Hi Uzma,
      Check your script. Have you got JUST the search string on the second of the three lines defining $RegEx?
      $RegEx = @”

Skip to main content