5

I'm new to regex.
I need to validate passwords using php with following password policy using Regex:

Passwords:

  1. Must have minimum 8 characters
  2. Must have 2 numbers
  3. Symbols allowed are : ! @ # $ % *

I have tried the following: /^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!@#$%]$/

HamZa
  • 14,671
  • 11
  • 54
  • 75
sash
  • 85
  • 2
  • 10
  • 1
    Can you possibly post here the regexp [you have tried](http://whathaveyoutried.com) and isn't working? – Petr R. Aug 11 '13 at 19:07
  • @NullPoiиteя Please read the question Null – sash Aug 11 '13 at 19:10
  • Try http://regexlib.com/ – putvande Aug 11 '13 at 19:13
  • 2
    The `Symbols allowed are : ! @ # $ % *` part bothers me. Why are you only allowing certain symbols? You should allow the entire character set since you're passing the password off to a library like bcrypt anyways which will produce a hash. You ARE basing your passwords, right? – Ryan Kearney Aug 11 '13 at 19:13
  • 1
    Previous questions with quite similar content are e.g. http://stackoverflow.com/questions/1615078/regex-for-password-requirements and http://stackoverflow.com/questions/7245267/regular-expressions-for-password-validation ... Note also the many "for the love of `$dmr`, don't do that" comments. – tripleee Aug 11 '13 at 19:14
  • @RyanKearney Allowing only those symbols is part of application requirement. – sash Aug 11 '13 at 19:15
  • @sash What about hindu, hebrew, arabic letters or digits ? – HamZa Aug 11 '13 at 19:29
  • See [Reference - Password Validation](https://stackoverflow.com/questions/48345922/reference-password-validation/48346033#48346033) – ctwheels Jan 14 '21 at 15:05

4 Answers4

9

The following matches exactly your requirements: ^(?=.*\d.*\d)[0-9A-Za-z!@#$%*]{8,}$

Online demo <<< You don't need the modifiers, they are just there for testing purposes.

Explanation

  • ^ : match begin of string
  • (?=.*\d.*\d) : positive lookahead, check if there are 2 digits
  • [0-9A-Za-z!@#$%*]{8,} : match digits, letters and !@#$%* 8 or more times
  • $ : match end of string
HamZa
  • 14,671
  • 11
  • 54
  • 75
0

I would first try and find two numbers, using non-regex (or preg_match_all('[0-9]', ...) >= 2, then validating against:

^[!@#$%*a-zA-Z0-9]{8,}$

This should be faster and easier to understand. To do it using only regex sounds you need lookahead which basically scans the expression twice afaik, though I'm not sure of the PHP internals on that one.

Be prepared for a lot of complaints about passwords not being accepted. I personally have a large subset of passwords that wouldn't validate against those restrictions. Also nonsensical passwords like 12345678 would validate, or even 11111111, but not f4#f@faASvCXZr$%%zcorrecthorsebatterystaple.

sapht
  • 2,789
  • 18
  • 16
0
if(preg_match('/[!@#$%*a-zA-Z0-9]{8,}/',$password) && preg_match_all('/[0-9]/',$password) >= 2)
{
    // do
}
0

Full Strong Password Validation With PHP

  • Min 8 chars long
  • Min One Digit
  • Min One Uppercase
  • Min One Lower Case
  • Min One Special Chars

/^\S*(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=\S*[\W])[a-zA-Z\d]{8,}\S*$/

Demo here

Satyam Sundaram
  • 1
  • 1