5 Regex for password validation, with tests

2 min readJan 21, 2023

In this article, we will cover 5 regex patterns for password validation in JavaScript, including minimum length and character requirements.

Sample test cases using console.assert() are provided.

Midjourney’s depiction of validating passwords with regex

Minimum eight characters, at least one letter, and one number:

const r1 = new RegExp(‘^(?=.*[A-Za-z])(?=.*\\d)[A-Za-z\\d]{8,}$’);
console.assert(r1.test('password1') === true, 'correct');
console.assert(r1.test('passwor') === false, 'too short');
console.assert(r1.test('passwordpassword') === false, "doesn't contain a number");

Minimum eight characters, at least one letter, one number, and one special character:

const r2 = new RegExp('^(?=.*[A-Za-z])(?=.*\\d)(?=.*[@$!%*#?&])[A-Za-z\\d@$!%*#?&]{8,}$');
console.assert(r2.test('Password1@') === true, 'correct');
console.assert(r2.test('password1') === false, 'no special character');
console.assert(r2.test('Passwor@') === false, 'no number');

Minimum eight characters, at least one uppercase letter, one lowercase letter and one number:

const r3 = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)[a-zA-Z\\d]{8,}$');
console.assert(r3.test('Password1') === true, 'correct');
console.assert(r3.test('password') === false, 'no uppercase letter');
console.assert(r3.test('PASSWORD') === false, 'no lowercase letter');

Minimum eight characters, at least one uppercase letter, one lowercase letter, one number, and one special character:

const r4 = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]{8,}$');
console.assert(r4.test('Password1@') === true, 'correct');
console.assert(r4.test('password1') === false, 'no uppercase letter');
console.assert(r4.test('Password1') === false, 'no special character');
console.assert(r4.test('PASSWORD@') === false, 'no lowercase letter');

Minimum eight and maximum 10 characters, at least one uppercase letter, one lowercase letter, one number, and one special character:

const r5 = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]{8,10}$');
console.assert(r5.test('Password1@') === true);
console.assert(r5.test('password1@password1@') === false, 'too long');
console.assert(r5.test('PASSWORD@') === false, 'no lowercase letter');
console.assert(r5.test('password1') === false, 'no uppercase letter');
console.assert(r5.test('Password1') === false, 'no special character');