How to validate password with regular expression

Password Regular Expression Pattern



(			# Start of group
  (?=.*\d)		#   must contains one digit from 0-9
  (?=.*[a-z])		#   must contains one lowercase characters
  (?=.*[A-Z])		#   must contains one uppercase characters
  (?=.*[@#$%])		#   must contains one special symbols in the list "@#$%"
              .		#     match anything with previous condition checking
                {6,20}	#        length at least 6 characters and maximum of 20	
)			# End of group

?= – means apply the assertion condition, meaningless by itself, always work with other combination

Whole combination is means, 6 to 20 characters string with at least one digit, one upper case letter, one lower case letter and one special symbol (“@#$%”). This regular expression pattern is very useful to implement a strong and complex password.

P.S The grouping formula order is doesn’t matter.

1. Java Regular Expression Example
package com.mkyong.regex;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class PasswordValidator{
	  private Pattern pattern;
	  private Matcher matcher;
	  private static final String PASSWORD_PATTERN = 
	  public PasswordValidator(){
		  pattern = Pattern.compile(PASSWORD_PATTERN);
	   * Validate password with regular expression
	   * @param password password for validation
	   * @return true valid password, false invalid password
	  public boolean validate(final String password){
		  matcher = pattern.matcher(password);
		  return matcher.matches();

2. Password that match:

1. mkyong1A@
2. mkYOn12$

3. Password that doesn’t match:

1. mY1A@ , too short, minimum 6 characters
2. mkyong12@ , uppercase characters is required
3. mkyoNg12* , special symbol “*” is not allow here
4. mkyonG$$, digit is required
5. MKYONG12$ , lower case character is required

4. Unit Test – PasswordValidator

Unit test with TestNG.
package com.mkyong.regex;
import org.testng.Assert;
import org.testng.annotations.*;
 * Password validator Testing
 * @author mkyong
public class PasswordValidatorTest {
	private PasswordValidator passwordValidator;
        public void initData(){
		passwordValidator = new PasswordValidator();
	public Object[][] ValidPasswordProvider() {
		return new Object[][]{
		   {new String[] {
			   "mkyong1A@", "mkYOn12$", 
	public Object[][] InvalidPasswordProvider() {
		return new Object[][]{
		   {new String[] {
	@Test(dataProvider = "ValidPasswordProvider")
	public void ValidPasswordTest(String[] password) {
	   for(String temp : password){
		boolean valid = passwordValidator.validate(temp);
		System.out.println("Password is valid : " + temp + " , " + valid);
		Assert.assertEquals(true, valid);
	@Test(dataProvider = "InvalidPasswordProvider", 
	public void InValidPasswordTest(String[] password) {
	   for(String temp : password){
		boolean valid = passwordValidator.validate(temp);
		System.out.println("Password is valid : " + temp + " , " + valid);
		Assert.assertEquals(false, valid);

5. Unit Test – Result

Password is valid : mkyong1A@ , true
Password is valid : mkYOn12$ , true
Password is valid : mY1A@ , false
Password is valid : mkyong12@ , false
Password is valid : mkyoNg12* , false
Password is valid : mkyonG$$ , false
Password is valid : MKYONG12$ , false
PASSED: ValidPasswordTest([Ljava.lang.String;@1d4c61c)
PASSED: InValidPasswordTest([Ljava.lang.String;@116471f)
    Tests run: 2, Failures: 0, Skips: 0
Total tests run: 2, Failures: 0, Skips: 0
Tags :

About the Author

Founder of and, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.


  • Maycon

    this allow any caractere,except space, and it must to contain a letter and a number:


  • seded

    to escape the . and , from the regex

  • ih


  • raj

    i need regular expression for password validation which accepts only one character
    (from a-z) and any number of digits where password size is 8 characters.
    for ex:143h6434—> valid
    143d432y—> invalid

    in spring mvc

    thanks in advance,

  • Fernie

    Hi All,

    What if password should not include easy-to-guess string such as “love”, “happy”, “12345678”, “qwerty”, “asdfgh”, “zxcvb”. How can regular expression validate such strings?


  • Marie

    Thank you very much. Pretty helpful!

  • Anonymous


    required; min 1 lowercase letter, min 1 uppercase letter, @#$%_- special character accepting. disallow spaces, minlength 8 maxlength 20 character.

    good luck.

  • mrlami

    Dude… Awesome!

  • Anonymous

    Hi Mkyong.
    what is the pattern for gmail passwords?

  • Aniketh

    Thanks ….. works great

  • muneeb

    c program ask user to enter password of 6 character and check wether it is a strong password

  • Konrad

    I recommend: ((?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%]).{6,20})([a-zA-Z\@\#\$\%\d])
    this will be block other marks

  • rudresh

    Hi its works perfect but first letter should be in character, how to add that.

    i tried adding like below in the beginning but its expecting again the capital or small letter; ex:

    1) Rudresh.12s its return false; its expects Upper case letter again
    2) rUDRESH.12s it return false; its expects Lower case letter again


    • OtaTat

      Try this one

  • shiva

    it’s accepting space

  • Raymond Ng

    Add (?!.*\\s) to disallow spaces in the password.

    • mkyong

      That’s good hack, thanks ~

  • Tomek

    3. mkyoNg12* , special symbol “*” is not allow here

    true, but try this:
    Ng1#**** – allowed!

    (in fact there could be ANY char in place of ‘*';

    If you would like to limit chars to only [a-zA-Z0-9@#$%] use:


  • Haider M Rizvi

    This post helped me. Thanks.

  • Pingback: Java Regular Expression Tutorial()

  • Lincoln Baxter, III

    Hey! Great example – I’d like to suggest a slight adaptation, however. While it is tempting to use a single regular expression for this, I think that there are good reasons to actually split up the regex into multiple checks. Performance is not usually a concern with password checking, so invoking a few more regex calls isn’t really a big deal, like so:

  • chris k

    Thanks for this! Saved me a lot of time. Much appreciated Mkyong!

  • Jonas Grimsgaard

    Thank you, you saved me ALOT of time ?

  • Belen Kotow

    yeah, you are right. this is a very good articles.i have learned so many things from

  • Pingback: Wicket password field example()

  • Jeremiah

    Using this string as test data: “X@CpJ[8~”

    It would return true, even though the characters ‘[‘ and ‘~’ are not allowed.

    • Victor

      According to the regex these characters are allowed, but not required.

  • John

    This regEx fails for April123
    Why is that so?

    According to pattern it should not pass right?

    • Satish Motwani

      Hello John,
      Atleast one special character out of [@#$%] must be present.

  • Mo Fielding

    Thanks! Very helpful. I slept through the regex stuff in class… :-(

  • Alex

    Good night,

    I’m not able to pass parameters to the regular expression for example:
    ((?=.*\\d{3}) == Change de number 3 to a variable .

    Thanks a lot,

  • Pingback: JSF 2 validateRegex example()

  • Pingback: 10 Java Regular Expression Examples You Should Know | Regular Expressions()