Home/ Questions/Q 6254917
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T14:16:06+00:00

I have this password regex for an application that is being built its purpose

  • 0

I have this password regex for an application that is being built its purpose is to:

Make sure users use between 6 – 12 characters.

Make sure users use either one special character or one number.

Also that its case insensitive.

The application is in .net I have the following regex:

I have the following regex for the password checker, bit lengthy but for your viewing if you feel any of this is wrong please let me know.

^(?=.*\d)(?=.*[A-Za-z]).{6-12}$|^(?=.*[A-Za-z])(?=.*[!#$%&'\(\)\*\+-\.:;<=>\?@\[\\\]\^_`\{\|\}~0x0022]|.*\s).{6,12}$

Just a break down of the regex to make sure your all happy it’s correct.

^ = start of string ”^” 

(?=.*\d) = must contain “?=” any set of characters “.*” but must include a digit “\d”.

(?=.*[A-Za-z]) = must contain “?=” any set of characters “.*” but must include an insensitive case letter.

.{6-12}$ = must contain any set of characters “.” but must have between 6-12 characters and end of string “$”.

|^ = or “|” start of string “^”

(?=.*[A-Za-z]) = must contain “?=” any set of characters “.*” but must include an insensitive case letter.

(?=.*[!#$%&'\(\)\*\+-\.:;<=>\?@\[\\\]\^_`\{\|\}~0x0022]|.*\s)  = must contain “?=” any set of characters “.*” but must include at least special character we have defined or a space ”|.*\s)”. “0x0022” is Unicode for single quote “ character. 

.{6,12}$ = set of characters “.” must be between 6 – 12 and this is the end of the string “$”

It’s quite long winded, seems to be doing the job but I want to know if there is simpler methods to write this sort of regex and I want to know how I can shorten it if its possible?

Thanks in Advanced.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, good job at providing comments for your regex. However, there is a much better way. Simply write your regex from the get-go in free-spacing mode with lots of comments. This way you can document your regex right in the source code (and provide indentation to improve readability when there are lots of parentheses). Here is how I would write your original regex in C# code:

    if (Regex.IsMatch(usernameString, 
    @"# Validate username having a digit and/or special char.
      ^               # Either... Anchor to start of string.
      (?=.*\d)        # Assert there is a digit AND
      (?=.*[A-Za-z])  # assert there is an alpha.
      .{6-12}         # Match any name with length from 6 to 12.
      $               # Anchor to end of string.
    | ^               # Or... Anchor to start of string
      (?=.*[A-Za-z])  # Assert there is an alpha AND
      (?=.*           # assert there is either a special char
        [!#$%&'\(\)\*\+-\.:;<=>\?@\[\\\]\^_`\{\|\}~\x22]
      | .*\s          # or a space char.
      )               # End specialchar-or-space assertion.
      .{6-12}         # Match any name with length from 6 to 12.
      $               # Anchor to end of string.
    ", RegexOptions.IgnorePatternWhitespace)) {
    // Valid username.
} else {
    // Invalid username.
}

    The code snippet above uses the preferable @"..." string syntax which simplifies the escaping of metacharacters. This original regex erroneously separates the two numbers of the curly brace quantifier using a dash, i.e. .{6-12}. The correct syntax is to separate these numbers with a comma, i.e. .*{6,12}. (Maybe .NET allows using the .{6-12} syntax?) I’ve also changed the 0x0022 (the " double quote char) to \x22.

    That said, yes the original regex can be improved a bit:

    if (Regex.IsMatch(usernameString, 
    @"# Validate username having a digit and/or special char.
    ^                # Anchor to start of string.
    (?=.*?[A-Za-z])  # Assert there is an alpha.
    (?:              # Group for assertion alternatives.
      (?=.*?\d)      # Either assert there is a digit
    |                # or assert there is a special char
      (?=.*?[!#$%&'()*+-.:;<=>?@[\\\]^_`{|}~\x22\s])  # or space.
    )                # End group of assertion alternatives.
      .{6,12}        # Match any name with length from 6 to 12.
    $                # Anchor to end of string.
    ", RegexOptions.IgnorePatternWhitespace)) {
    // Valid username.
} else {
    // Invalid username.
}

    This regex eliminates the global alternative and instead uses a non-capture group for the “digit or specialchar” assertion alternatives. Also, you can eliminate the non-capture group for the “special char or whitespace” alternatives by simply adding the \s to the list of special chars. I’ve also added a lazy modifier to the dot-stars in the assertions, i.e. .*? – (this may make the regex match a bit faster.) A bunch of unnecessary escapes were removed from the specialchar character class.

    But as Stema cleverly pointed out, you can combine the digit and special char to simplify this even further:

    if (Regex.IsMatch(usernameString, 
    @"# Validate username having a digit and/or special char.
    ^                # Anchor to start of string
    (?=.*?[A-Za-z])  # Assert there is an alpha.
                     # Assert there is a special char, space
    (?=.*?[!#$%&'()*+-.:;<=>?@[\\\]^_`{|}~\x22\s\d])  # or digit.
    .{6,12}          # Match any name with length from 6 to 12.
    $                # Anchor to end of string.
    ", RegexOptions.IgnorePatternWhitespace)) {
    // Valid username.
} else {
    // Invalid username.
}

    Other than that, there is really nothing wrong with your original regex with regard to accuracy. However, logically, this formula allows a username to end with whitespace which is probably not a good idea. I would also explicitly specify a whitelist of allowable chars in the name rather than using the overly permissive "." dot.

    • 0