REGEX password validation without special characters

Question

I am using this regex to validate my password. My password -

• should be alphanumeric ONLY,
• contains at least 8 characters,
• at least 2 numbers
• and at least 2 alphabet.

My regex is

^.*(?=.{8,})(?=.*\d*\d)(?=.*[a-zA-Z]*[a-zA-Z])(?!.*\W).*$

but unfortunately it still matches if I try to put special characters at the beginning. For example @password12, !password12.

Answer 1

I had a similar situation in which the client needed 4 alpha, 1 number, and between 8 and 20 characters. I've adapted my solution to your problem:

^(?=(?:[a-zA-Z0-9]*[a-zA-Z]){2})(?=(?:[a-zA-Z0-9]*\d){2})[a-zA-Z0-9]{8,}$

I understand the other answers dissuading you from this route, but sometimes the client wants what the client wants, regardless of your arguments to the contrary.

Answer 2

You can use the following regex in case insensitive mode:

^(?=[a-z]*[0-9][a-z]*[0-9])^(?=[0-9]*[a-z][0-9]*[a-z])[a-z0-9]{8,}$

See it

Answer 3

Because your pattern begins and ends with .*, it will match anything at the beginning or end of the string, including special characters.

You shouldn't be solving this problem with a single regular expression, it makes the code hard to read and hard to modify. Write one function for each rule using whatever makes sense for that rule, then your validation script becomes crystal clear:

if is_alpha_only(password) && 
   len(password) > = 8 && 
   has_2_or_more_numbers(password) &&
   has_2_or_more_alpha(password) ...

Seriously, what's the point of cramming all of that into a single regular expression?

And why disallow special characters? There's simply no reason for that.