Strong password (length 12+, mixed) regex
Validates that a password is at least 12 characters and contains at least one lowercase letter, one uppercase letter, one digit, and one symbol. Uses lookaheads to enforce each requirement independently.
The pattern
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9])[A-Za-z\d^A-Za-z0-9]{12,}$/Caveats
Pattern-based password rules are widely considered weaker than length-based ones — a 20-character lowercase password is stronger than a 12-character one with every character class. Modern guidance (NIST SP 800-63B, 2024 update) recommends minimum length over composition rules. Use this pattern only when a system imposes class requirements.
Test strings
A mix of values that should match and values that shouldn't — paste these into the tester to see them light up live.
- Secure-Pass-1234
- all-lowercase-1234
- ALL-UPPER-1234
- TooShort1!
- 12345678901234
- P@ssw0rd-Excellent