Test it against 0123456789aA+* and you will see.

I also think the leading .* can be dismissed since it present in all positive lookaheads. The last .* is the source of the flaw since it allows any character to follow the valid characters.

Expression used:
^.*(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&]).*$

Having looked at it again …seems like Apache doesnt accept characters like “?” , not sure what could be the replacement for the same and if there is none then the expression would be difficult to be written and understood by anyone at later stage as to check for 4 conditions in expression upper alpha , lower alpha , numeric and special characters string of expression will become too lengthy.

Expression used:
^.*(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&]).*$

^(?=.{10,32})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%*^&(){}]).*$

Analyzing this, you basically can pull the “atoms” out and you can see this…

^.*$

Which reads “accept any number of characters”.

Putting the atoms back states that the string must meet the “atom” criteria. For example, if we just wanted to limit the size we use the size “atom”.

^(?=.{10,32}).*$

“Accept between 10 and 32 characters of any type.”

If you wanted to make sure it also had at least 1 digit:

^(?=.{10,32})(?=.*\d).*$

“Accept between 10 and 32 characters and must have any number of digits.”

Now, we simply don’t care how many digits they use. If you only wanted them to use a specific number of digits, you’d have to change the (.*) portion of the digit “atom”. As an example, lets limit it to between 2 and 4 digits:

^(?=.{10,32})(?=\d{2,4}).*$

In this case, we can keep building up what your password Regex criteria is.

If you wanted to allow the user to pick 2 or 3 of the 4 criteria such as:

“Your password must contain at least 3 of the following criteria: Upper-case, Lower-case, Number, and special character”

You need to use the or (|) and build up all the possible combination. Allowing any 3 of the 4 criteria would create:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=]).*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=]).*$
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

(There’s no limit to size, but clearly the password has to be at least 3 characters long since it has to have at least 3 unique characters in the string)

Another issue you might see is that it allows ANY character (Nulls, Newlines, etc) in the string as long as AT LEAST the criteria characters at met.

Meaning, you can have:

“aB3{space}{newline}{etc..}”

and it will still be accepted. To limit what characters you string can contain to be only the characters listed in your criteria (alpha-numeric and the listed special characters) you have to edit the (.*) to be the list of characters you want to accept such as ([a-zA-Z0-9@#$%^+=]*).

Taking the “atoms” out, you will have a base Regex like this:

^[a-zA-Z0-9@#$%^+=]*$

Simply add in the “Atoms” you want for criteria back in. Here’s what I use:

“Require 3 of 4 criteria of: upper-case, lower-case, number, or the following special characters (@#$%^+=). No other characters are allowed.”

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[a-z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*\d)(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$
|
^(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])[a-zA-Z0-9@#$%^&+=]*$

Add/remove special characters or “atoms” as you need.

My name is Ion Drimba and I´m a flash developer from Brazil.
I ´m wondering if it´s possible to built a regular expression for this scenario:

min 1 number max 8 and
min 1 alphanumeric max 2.
The order doesn’t matter.

It is possible or am I trying to do something that regular expression doesn´t support?

Thanks Ion Drimba