AWS Cognito Password Regex - Specific to AWS Cognito

Question

Can someone give me the regex to match a valid AWS Cognito password - with numbers, special characters (their list), lower and upper case letters

The AWS Cognito default length limit is 6 characters and has it's own list of special characters

Note that the AWS Congito password regex is specific to AWS Congnito - not just a general password regex.

score 53 · Accepted Answer · edited Mar 08 '23 at 07:58

53

Updated Answer - March 2023

/^(?!\s+)(?!.*\s+$)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ])[A-Za-z0-9$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ]{8,256}$/

Explanation

/ Indicates the start of a regular expression.
^ Beginning. Matches the beginning of the string.
(?!\s+) Disallows leading spaces.
(?!.*\s+$) Disallows trailing spaces.
(?=.*[a-z]) Requires lowercase letters.
(?=.*[A-Z]) Requires uppercase letters.
(?=.*[0-9]) Requires numbers.
(?=.*[\^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ]) Requires at least one special character from the specified set. (The non-leading, non-trailing space character is also treated as a special character.)
[A-Za-z0-9^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ]{8,256} Minimum 8 characters from the allowed set, maximum 256 characters.
$ End. Matches the end of the string.
/ Indicates the end of a regular expression.

The minimum character limit defaults to 8 but can be customised to a value between 6 and 99. The full length of a password however is limited to 256 characters (not 99).

Interactive Example

https://regexr.com/79p07

Documentation

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html

Inaccuracies in documentation

Cognito also has a "no leading or trailing spaces" rule in the default password requirements, but there are several docs out there that incorrectly state that "The space character is also treated as a special character". However, the current behaviour is actually "The non-leading, non-trailing space character is also treated as a special character".

To see the correct default password rules, view a user pool, click on the "Sign-in experience" tab, and click on "Contains at least 1 special character" to bring up a tooltip with the rules.

edited Mar 08 '23 at 07:58

Steve Harrison

121,227
16
87
72

answered Nov 08 '19 at 13:58

Jonathan Irwin

5,009
2
29
48

3

The above regex failed for me as it was missing some special characters. I've updated it here to work with the default cognito password config: `/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[=+\-^$*.\[\]{}()?"!@#%&/\\,><':;|_~\`])\S{8,99}$/` – tsiege Oct 17 '20 at 18:44
2

According to https://regex101.com/ the regex is invalid because a forward slash is not escaped. PLUS we had real problems using this regex in the deployed react version on an S3 bucket (locally it worked). Also I question that 6 chars is the default I think it's 8. – CodingYourLife Dec 10 '20 at 15:50
@CodingYourLife sorry this gave you trouble - what was the issue? I see on regex101.com it complains when used in PHP - if you used it in React it should have been valid. Both PHP and JS seem happy with the forward slash escaped so I will update the answer. I also see 8 is now the default - again I will update. – Jonathan Irwin Dec 10 '20 at 18:57
+1 for @CodingYourLife 's comment about not working on S3. We faced the same issue...works perfectly in local environment but not when deployed to S3. Seems like odd behavior. Does anyone have a fix for this? – hugo Nov 11 '21 at 12:34
I had a similar problem with this regex where it worked locally but not in production (React SPA on AWS). I carefully retyped the regex letter by letter and it was fixed, so I think the problem was coming from exotic quotations when I had originally copy/pasted. Try this: ```/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\^$*.\[\]{}?\-"!@#%&\/,><\':;|_~`])\S{8,99}$/``` – indigoi Dec 03 '21 at 08:10
1

@hugo here is it deployed to S3 where it seems to work fine. http://awspasswordregex.s3-website-eu-west-1.amazonaws.com/ code is simple so view source if you want to see how it works. I will update the answer to use the regular quotations - thanks indigoi – Jonathan Irwin Dec 04 '21 at 10:49
2

Cognito defaults include =, - and +. Unfortunately they're not listed in the official documentation, but by default they are admitted by Cognito. These are taken straight from the Cognito AWS Console: `(^ $ * . [ ] { } ( ) ? - " ! @ # % & / \ , > < ' : ; | _ ~ `` + =)` – santamanno Dec 15 '21 at 15:53
Would be useful to add references to this answer to understand where it's come from/what specifications it's based on. – Dan Dec 21 '21 at 20:30
1

@JonathanIrwin, I think using `\S` is a rather large mistake in your regexp. Now this may have been a little different when you put the regexp together, however according to AWS today a password is allowed to contain upper & lower case basic latin letters, numbers, and special characters from the list. It must also contain fewer than 99 characters so you need to reduce the max length by 1. `\S` will allow anything that isn't whitespace, so as long as the password satisfies the "contains a *" lookaheads it can contain any other characters that aren't in the allowed set. Continued... – Andrew Jun 16 '22 at 20:02
3

I propose tightly defining the allowed character set of your regexp with: `/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\^$*.\[\]{}?\"!@#%&\/\\,><\':;|_~\`=+\-])[a-zA-Z0-9\^$*.\[\]{}?\"!@#%&\/\\,><\':;|_~\`=+\-]{8,98}$/` The current Cognito password requirements specifications are available here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html. (I'd add this answer myself but some bright spark closed this question because it looked similar to another one) – Andrew Jun 16 '22 at 20:07
Regarding regex for special characters, see below an up to date one : ```/[\^$*.\[\]{}?"!@#%&\\\/,><\':;|_~`=+\- ]/;``` – Clément Faure Aug 19 '22 at 15:28
The 99 character limit is actually the cap on minimum password length. A Cognito password can be up to 256 characters in length. The minimum can be between 6 and 99 as per the [docs](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html). Also, contrary to the comments above, "The space character is also treated as a special character.". – jfgilmore Sep 19 '22 at 02:31
@jfgilmore I see what you mean about the length. I will update the answer – Jonathan Irwin Sep 20 '22 at 08:59
Thank you @jfgilmore, you've caught a few bits that I missed from the spec so I'll update what I'm using accordingly. – Andrew Oct 10 '22 at 00:40
@Andrew's Regex works better – ganta Jan 13 '23 at 21:45
1

The regex does not work if the password contains the char § – Charles Apr 21 '23 at 19:56
@Charles any idea how to fix it? Does cognito accept that as a valid special character? – Jonathan Irwin Apr 24 '23 at 16:43
Yes Cognito allows that char. I would suggest adding `(.)` at the end of the regex: ```/^(?!\s+)(?!.*\s+$)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ])[A-Za-z0-9$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ](.){8,256}$/``` – Charles Apr 25 '23 at 18:39

score 1 · Answer 2 · answered Sep 25 '22 at 18:18

1

the Regex formula for Swift 5 is

"(.*[()!@^$*.?\\-@#%&\":;|><'_~`+=\\[\\],{}])"

answered Sep 25 '22 at 18:18

Matthew Usdin

1,264
1
19
20