Javascript Regex for strong password with specific ordering of the characters

Question

I have seen answers for strong password checks but I have an additional requirement for the order in which the characters appear.

The password should contain at least:

One upper case letter.
One lower case letter.
One number.
One special character.

The order being:

Should start with upper case and lower case letters.
Followed by number and/or alphabetical characters.
In the end, should be a special character.

e.g.

Xyz1325@ is valid.
aBcd123xYz# is also valid.
@Xyz1234 is invalid.
1234Xyz@ is invalid.
Xyz@ is invalid.

So you took a reasonably strong password and decimated the strength by creating known patterns in 3 positions? — mplungjan, Dec 15 '18 at 16:20
Actually I need to post the data to an API which has the position restrictions. Shall I use two regex patterns instead? — Ramachandra A Pai, Dec 15 '18 at 16:38
@mplungjan, For the regex that you provided even Xyz@ passes which is invalid bcoz there is no number. — Ramachandra A Pai, Dec 15 '18 at 16:44
It was a start. SO prefers to see some effort and your restrictions are interesting — mplungjan, Dec 15 '18 at 17:20
You should really read [Reference - Password Validation](https://stackoverflow.com/questions/48345922/reference-password-validation) — ctwheels, Dec 28 '18 at 19:21

score 1 · Answer 1 · answered Dec 15 '18 at 17:09

The regex I believe you are looking for is this: https://regex101.com/r/nO2DxE/2

Explanation: These groups (?=.*[A-Z].*) (?=.*[0-9].*) (?=.*[a-z].*) make sure your string contains at least one uppercase letter, one lowercase letter and one digit. The rest of the regex checks that the order you described is respected.

Overall, the regex is: (?=.*[A-Z].*)(?=.*[0-9].*)(?=.*[a-z].*)^[a-zA-z][a-zA-Z0-9]*[@!#+-]$

score 1 · Accepted Answer · edited Dec 28 '18 at 06:59

1

Introducing a specific order of characters in a password makes it relatively more predictable, hence losing the strength of it, and I'll suggest you to get away with that restriction. Nevertheless, you can use this regex that will meet your needs,

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[~!@#$%^&*])[a-zA-Z][a-zA-Z\d]*[~!@#$%^&*?<>]*$

Explanation:

^ --> Start of string
(?=.*[a-z]) --> Ensures the password has at least one lowercase letter.
(?=.*[A-Z]) --> Ensures the password has at least one uppercase letter.
(?=.*\d) --> Ensures the password has at least one digit.
(?=.*[~!@#$%^&*]) --> Ensures the password has at least one special character from this set. You can put more characters inside that you want to treat as special.

Now comes the part for ensuring the order. As you said it should start with an alphabet, hence we need the first character as,

[a-zA-Z]

Then following it can be alphabet or numbers hence you can use,

[a-zA-Z\d]*

And finally you want special characters, and by your this statement "In the end, should be a special character." I assume you do not want to restrict it to just one single special character, hence at the end of regex it should be this,

[~!@#$%^&*?<>]*

which can match one or more special characters. If you really meant just one special character then just make it [~!@#$%^&*?<>]

And finally end it with $ to stop matching the string.

Live Demo

Hope this works for you. Or else, let me know for any other queries.

Edit

Bonus: If you want to check length as well you can do so using the following:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[~!@#$%^&*])(?=.{6,18}$)[a-zA-Z][a-zA-Z\d]*[~!@#$%^&*?<>]*$

The additional (?=.{6,18}$) is to ensure that your regex has length between 6 to 18.

@Pushpesh, Please correct if wrong.

edited Dec 28 '18 at 06:59

Ramachandra A Pai

407
4
22

answered Dec 15 '18 at 20:30

Pushpesh Kumar Rajwanshi

18,127
2
19
36

This is taking Testp1#212 also as valid. – Ramachandra A Pai Dec 27 '18 at 07:25
@RamachandraAPai: No it is not taking it as valid. [See here](https://regex101.com/r/9YsYFZ/2) May I know where and how you are checking it? Looks like there is some kind of issue. – Pushpesh Kumar Rajwanshi Dec 27 '18 at 07:30
Yes @pushpesh, my bad. I had modified the regex for checking length as well. Reverted the regex to what you provided and used js functions instead to check length. Thanks again. – Ramachandra A Pai Dec 27 '18 at 09:55
@RamachandraAPai: Its okay dear. If you want to have length checks within regex, I can do that too. Let me know about your length restrictions. – Pushpesh Kumar Rajwanshi Dec 27 '18 at 10:10
Thanks @Pushpesh but I figured it out. Instead let me know a site where I can understand the nuances of regex from. – Ramachandra A Pai Dec 28 '18 at 06:16
I have added the length check as well to the answer. – Ramachandra A Pai Dec 28 '18 at 06:30
1

@RamachandraAPai: Yes, that's perfect way of length check. For getting better at regex, this regex info page is [THE BEST](https://stackoverflow.com/tags/regex/info) as it tells you lot of basic stuff and contains lots of references to great sites. – Pushpesh Kumar Rajwanshi Dec 28 '18 at 07:05

Javascript Regex for strong password with specific ordering of the characters

2 Answers2