validation

Strong Password (8+ chars, mixed) Regex Pattern

Validates a password that is at least 8 characters and contains at least one lowercase letter, one uppercase letter, and one digit. Does NOT require special characters — add <code>(?=.*[!@#$%^&*])</code> if you want that too.

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/

What each part matches

(?=.*[a-z]) — lookahead: must contain at least one lowercase
(?=.*[A-Z]) — lookahead: at least one uppercase
(?=.*\d) — lookahead: at least one digit
.{8,}$ — total length 8 or more

✓ These match

  • Password1
  • Utilko2026
  • Secr3t!!

✗ These don't

  • password
  • PASSWORD1
  • Pass1
  • 12345678

Use in your code

JavaScript

const re = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/;
re.test(input); // → true or false

Python

import re
re.fullmatch(r"^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$", input)

PHP (PCRE)

preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/', $input);

Go

re := regexp.MustCompile(`^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$`)
re.MatchString(input)

FAQ

Does this strong password (8+ chars, mixed) regex work in JavaScript?
Yes. Every pattern in the Utilko regex library is tested to work in JavaScript RegExp, PCRE (PHP, Nginx), and Python `re`. Where flavor matters (lookbehind, named groups), the pattern page flags it.
How do I use this pattern?
Copy the pattern from the code block above. In JavaScript: new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$') or literal /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/. Or click "Try in regex tester" to open it pre-loaded in Utilko's browser-based regex tester.
Should I use this for security-critical validation?
Client-side regex is fine for UX (immediate feedback on a form). For anything security-critical — payments, auth, data integrity — always re-validate server-side using the same pattern PLUS domain-specific checks (Luhn checksum for cards, actual email delivery test, DNS resolution for domains).

Related regex patterns

← All regex patterns · Regex tester · Regex cheat sheet