Password Validation Regular Expression

Password validation is policy-driven. Some forms need a strict complexity rule, while others only need reasonable length and no whitespace. These examples show three common options so you can pick the one that matches your product instead of forcing a single policy everywhere.

Validation Options

Strict - 8 to 64 characters, at least one lowercase letter, one uppercase letter, one digit, one special character, and no whitespace.
Balanced - 8 to 64 characters, at least one letter and one digit, special characters optional, and no whitespace.
Minimal - 8 to 64 non-whitespace characters with no composition requirements.

Strict Validation

Use this policy when you need explicit complexity requirements: lowercase, uppercase, digit, special character, 8 to 64 characters, and no whitespace.

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$

Explanation

^ - Start of the string.
(?=.*[a-z]) - Requires at least one lowercase ASCII letter.
(?=.*[A-Z]) - Requires at least one uppercase ASCII letter.
(?=.*\d) - Requires at least one digit.
(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]) - Requires at least one special character from the allowed set.
[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64} - Allows only the listed ASCII characters and enforces a total length between 8 and 64 characters.
$ - End of the string.

Note: Regex can enforce a password format, but it does not make password storage safe. Store passwords with a dedicated password hashing algorithm such as Argon2, scrypt, or bcrypt, and consider checking for compromised or commonly used passwords separately.

Practical guidance: Use the strict option when a policy explicitly requires character classes. Use the balanced option when you want basic resistance to trivial passwords without forcing symbols or mixed case. Use the minimal option when the main requirement is length and you expect users to rely on password managers.

Implementation

const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$/;

const isValidPassword = (password) => passwordRegex.test(password);

import re

def is_valid_password(password):
  password_regex = r"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$"
  return re.match(password_regex, password) is not None

use regex::Regex;

fn is_valid_password(password: &str) -> bool {
  let password_regex = Regex::new("^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$")
    .expect("Could not parse password validation regex");
  password_regex.is_match(password)
}

package main

import (
  "regexp"
)

func isValidPassword(password string) bool {
  passwordRegex := "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$"
  re := regexp.MustCompile(passwordRegex)
  return re.MatchString(password)
}

import Foundation

func isValidPassword(_ password: String) -> Bool {
  let passwordRegex = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$"
  return NSPredicate(format: "SELF MATCHES %@", passwordRegex).evaluate(with: password)
}

using System;
using System.Text.RegularExpressions;

class Application {
  static bool IsValidPassword(string password) {
    string passwordRegex = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$";
    return Regex.IsMatch(password, passwordRegex);
  }
}

import java.util.regex.*;

public class Application {
  public static boolean isValidPassword(String password) {
    String passwordRegex = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$";
    Pattern pattern = Pattern.compile(passwordRegex);
    Matcher matcher = pattern.matcher(password);
    return matcher.matches();
  }
}

<?php
function isValidPassword($password) {
  $passwordRegex = "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';])[A-Za-z\d!@#$%^&*(),.?":{}|<>_\-\[\]\\\/+=~';]{8,64}$";
  return preg_match("/" . $passwordRegex . "/", $password);
}
?>

Test Cases

Input	Valid
Str0ng!Pass
A1!bcdef
P@ssw0rd2026
Valid_123!
N0Spaces#
lowercase1!
UPPERCASE1!
NoNumber!
NoSpecial1
Sh0rt!
Has Space1!
Tabs Pass1!
Äbcd123!
Password123
(empty string)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA1!

Balanced Validation

Use this when you want a lighter policy: at least one letter, at least one digit, 8 to 64 characters, and no whitespace. Special characters are allowed but not required.

^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$

Explanation

^ - Start of the string.
(?=.*[A-Za-z]) - Requires at least one ASCII letter.
(?=.*\d) - Requires at least one digit.
\S{8,64} - Requires 8 to 64 non-whitespace characters.
$ - End of the string.

Implementation

const passwordRegex = /^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$/;

const isValidPassword = (password) => passwordRegex.test(password);

import re

def is_valid_password(password):
  password_regex = r"^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$"
  return re.match(password_regex, password) is not None

use regex::Regex;

fn is_valid_password(password: &str) -> bool {
  let password_regex = Regex::new("^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$")
    .expect("Could not parse password validation regex");
  password_regex.is_match(password)
}

package main

import (
  "regexp"
)

func isValidPassword(password string) bool {
  passwordRegex := "^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$"
  re := regexp.MustCompile(passwordRegex)
  return re.MatchString(password)
}

import Foundation

func isValidPassword(_ password: String) -> Bool {
  let passwordRegex = "^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$"
  return NSPredicate(format: "SELF MATCHES %@", passwordRegex).evaluate(with: password)
}

using System;
using System.Text.RegularExpressions;

class Application {
  static bool IsValidPassword(string password) {
    string passwordRegex = "^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$";
    return Regex.IsMatch(password, passwordRegex);
  }
}

import java.util.regex.*;

public class Application {
  public static boolean isValidPassword(String password) {
    String passwordRegex = "^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$";
    Pattern pattern = Pattern.compile(passwordRegex);
    Matcher matcher = pattern.matcher(password);
    return matcher.matches();
  }
}

<?php
function isValidPassword($password) {
  $passwordRegex = "^(?=.*[A-Za-z])(?=.*\d)\S{8,64}$";
  return preg_match("/" . $passwordRegex . "/", $password);
}
?>

Test Cases

Input	Valid
password1
Passw0rd
abc12345
1234test!
LOGIN2026
NoDigitsHere
12345678
short1a
has space1
tabs 123a
(empty string)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1

Minimal Validation

Use this when the main requirement is length and no spaces. It accepts any non-whitespace characters from 8 to 64 characters long and leaves strength decisions to users or password managers.

^\S{8,64}$

Explanation

^ - Start of the string.
\S{8,64} - Requires 8 to 64 non-whitespace characters.
$ - End of the string.

Implementation

const passwordRegex = /^\S{8,64}$/;

const isValidPassword = (password) => passwordRegex.test(password);

import re

def is_valid_password(password):
  password_regex = r"^\S{8,64}$"
  return re.match(password_regex, password) is not None

use regex::Regex;

fn is_valid_password(password: &str) -> bool {
  let password_regex = Regex::new("^\S{8,64}$")
    .expect("Could not parse password validation regex");
  password_regex.is_match(password)
}

package main

import (
  "regexp"
)

func isValidPassword(password string) bool {
  passwordRegex := "^\S{8,64}$"
  re := regexp.MustCompile(passwordRegex)
  return re.MatchString(password)
}

import Foundation

func isValidPassword(_ password: String) -> Bool {
  let passwordRegex = "^\S{8,64}$"
  return NSPredicate(format: "SELF MATCHES %@", passwordRegex).evaluate(with: password)
}

using System;
using System.Text.RegularExpressions;

class Application {
  static bool IsValidPassword(string password) {
    string passwordRegex = "^\S{8,64}$";
    return Regex.IsMatch(password, passwordRegex);
  }
}

import java.util.regex.*;

public class Application {
  public static boolean isValidPassword(String password) {
    String passwordRegex = "^\S{8,64}$";
    Pattern pattern = Pattern.compile(passwordRegex);
    Matcher matcher = pattern.matcher(password);
    return matcher.matches();
  }
}

<?php
function isValidPassword($password) {
  $passwordRegex = "^\S{8,64}$";
  return preg_match("/" . $passwordRegex . "/", $password);
}
?>

Test Cases

Input	Valid
password
12345678
long-enough
UPPERCASE
Abc123!@
short
has space
tabs pass
(empty string)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa