Download Cheat sheet PDF 12 pages · syntax, editors, patterns, Unicode, performance, debugging
HomePatternsStrong password
Pattern

Regex for Strong password

8+ chars, uppercase, lowercase, digit, symbol.

The pattern

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$
Try in explainer →

What it matches

  • MyP@ssw0rd
  • Secur3!Pass
  • Pa$$word1

What it doesn't match

  • password
  • PASSWORD1
  • Pass123
  • Pass!

Notes & gotchas

Four positive lookaheads check for each character class. Adjust the minimum length and required classes for your policy. Modern NIST guidance favors length over complexity.

Code in your language

Use the explainer's Code tab to generate ready-to-paste snippets in JavaScript, Python, Java, .NET, Go, Ruby, and PHP for this pattern.

Open in explainer →

About this pattern

Password and credential validation patterns enforce policy rules. Modern guidance (NIST 800-63B) favors length over complexity.

Quick usage in different languages

Once you've validated a candidate value matches this pattern, you'll typically use it inside your application code. Each language has its own regex syntax:

  • JavaScript: new RegExp(pattern).test(value)
  • Python: re.match(pattern, value) with raw strings: r"pattern"
  • Java: Pattern.compile(pattern).matcher(value).matches()
  • C# / .NET: Regex.IsMatch(value, pattern)
  • Go: regexp.MustCompile(pattern).MatchString(value) — Go uses RE2 so some advanced features aren't available
  • Ruby: value =~ /pattern/ or pattern.match?(value)
  • PHP: preg_match('/pattern/', $value)

The explainer's Code tab generates these for any pattern you paste — including the right escaping and idioms for each language.

Common pitfalls

  • Anchors matter. If the pattern uses ^ and $ it expects the entire input to match. To find this pattern inside a longer text, remove the anchors and use the /g flag.
  • Case sensitivity. Letter ranges like [A-Z] only match uppercase. Use the i flag or [A-Za-z] for case-insensitive matching.
  • Escape user input. If you're building a regex from a string variable, escape regex metacharacters first to avoid bugs or injection.
  • Performance. For this specific pattern the risk is low, but be cautious of nested quantifiers when adapting it — they can cause exponential backtracking on adversarial input.

See also

Browse all 300 patterns in the library, or open this regex in the interactive explainer for a token-by-token breakdown, live testing, and code in seven languages.

Want more patterns? Browse the full library →