How to use regular expressions to enforce password policies

04 mei 2016  |  
4 min leestijd

Hi everyone welcome to another blog post about something I recently discovered.

As I was working on an application, and we were nearing our release deadline, we discovered we still had to choose a password policy. Until now, for development and testing purposes such a policy was not yet introduced in the application.

The back-end part was easy, we use a cloud provider for our authorization, so we could just set it up there.  But then came the front-end part.

I immediately started thinking about regular expressions, as probably any developer would. We use regular expressions for pattern matching right? But very soon in my thinking process I also though it could not be done, because there is an order in a regular expression.  That means that the regular expression engine moves through your string as it is evaluating your regex.

I will give you a short example. Let’s say we want to match a password policy that says it should contain a small letter, capital case letter and a number. Something like Test22.

You would probably start with a regex that says something like:


But this regex actually also matches just test. Because this regex says that every character it encounters should be part of this list. So this probably won’t do. Let’s try something else:


This also won’t do, as this means the first characters of the password should be lower case, capital case, number and then everything is possible. This is the order I was talking about earlier. As the regex engine encounters the first character of the string, it matches it against the first construct in your regex, the second with the second, and so on.

So what we actually need is a regex construct that does not move our Regex engine. A construct that matches different parts, but the order of these parts is not important. It turns out these constructs are actually there and supported by almost all of the engines that are out there. They are called Lookahead and Lookbehind constructs. Let’s have a look!


This is a very simple lookahead. This validates that everything after the current position of our regex engine should be the string “bar”. The syntax for a lookahead is (?=<regex>). The part between the angle brackets can contain a regex. You can use a look ahead on every position in your regex. The regex above says :The start of the string should be followed by bar. But I can also do something like this:


This regex says the word test should be followed by bar. Now why would you use these constructs?

Instead of when you write the above with a normal regular expression, after the regex engine hits the last “t” of the word test, it does not move. The engine takes note of the lookahead, it evaluates the part after “test” but does not move. What does this mean?

Let’s make it more complex:


This does a couple of nice things. First, this has multiple lookaheads. You can actually combine them to do multiple evaluations, without moving the regex engine. In the above example both lookaheads will be evaluated from the last “t” of the word test. Both of the lookaheads must be true to make your entire regular expression match. Looking at the above string this regex says. Your string should start with “test” followed by “foo” and “bar” but the order does not matter! And this is something that is very hard to achieve without this construct. So the following string would match:

  • testfoobar
  • testbarfoo

But not: test

So this gives us the possibility to specify conditions, in which the order is not important, but they do all need to be satisfied. Exactly what we would need to enforce passwords.

So let’s have a look at a simple password policy that says that a password should contain a number, a lowercase letter and a capital case letter. And it should be at least six characters long. Every condition will become a lookahead except  for the length.


This is it! Let’s explain this a little. The “^” says the start of the string. From the start of the string we will perform three lookaheads.

  • .*[A-Z] Means from the start of the string there can be any number of characters but they should be followed by a capital letter.
  • .*[0-9] Means from the start of the string there can be any number of characters but they should be followed by a number.
  • .*[a-z] Means from the start of the string there can be any number of characters but they should be followed by a lower letter.

Keep in mind, the order of these lookaheads do not matter! They all get evaluated from the start of our string, without changing the position of our engine. If they are all true, the lookahead part of our regex is satisfied.

The lookahead part is followed by

  • .{8,}$

As this is not part of a lookahead, this will change the position of our regex engine. So the engine will move up  at least 8 positions of any character in our string and then the password should end. The $ sign, means the end of the string.

And that’s it! An easy way to enforce password policies, this is very useful in an Angular front-end in combination with ng-pattern and ng-message to give a friendly message on your create a new user form.


If we want to add extra conditions, for example at least one special character, we just add an extra lookahead. The entire regex becomes:



Thanks for reading!


04 mei 2016  |  
4 min leestijd


Luminis onderscheidt zich van andere aanbieders in de ICT door een waarde- en klantgedreven aanpak. Wij willen vooruitgang zien, zowel bij onze klanten als bij onze medewerkers. Graag komen we met je in contact om te ontdekken hoe we die kunnen realiseren.


©2019 Luminis Arnhem – Leveringsvoorwaarden

Design: Eyefun