1

I'm trying to create a regex for a password input, where the user must enter at least one digit, one uppercase letter, one lowercase letter, and any one symbol except the asterisk and percentage sign, and must be at least fifteen characters long. Thus far, I have come up with this:

(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z\d*%]).{15,}

But when I test this on RegexR, I try inputting the following string, ILovePizza1234!!!* and it passes. What is wrong with the expression? Please help, and thanks for any tips in advance

gfcf14
  • 316
  • 4
  • 30

1 Answers1

2

Your lookahead assertion (?=.*[^A-Za-z\d*%]) checks if there is at least one character except alphanumericals, percent signs or asterisks. It does not prohibit the presence of any asterisk/percent sign. So as long as there is at least one character that matches [^A-Za-z\d*%] (a condition fulfilled by ! in your test string), that assertion succeeds.

You need an additional negative lookahead assertion:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^A-Za-z\d])(?!.*[*%]).{15,}

(?!.*[*%]) will cause the regex match to fail if a * or % is present anywhere in the string.

Tim Pietzcker
  • 328,213
  • 58
  • 503
  • 561