Search⌘ K
AI Features
Home
Courses
JavaScript Regular Expressions in Detail

Password Pattern Matching

Explore how to create password validation rules using JavaScript regular expressions. Understand positive lookaheads to check for numbers, uppercase and lowercase letters, symbols, and length constraints. This lesson helps you implement strong password pattern matching leveraging core RegExp concepts.

We'll cover the following...

If you’ve been reading up to this point, hopefully, you’re now used to thinking in RegExp terms, and you now understand the power that regular expressions bring to the table. This is exactly why they’re so widely used in all types of software projects.

In this final chapter, we’ll be showing you a few examples of real-world use cases where regular expressions can help you achieve some very nice functionalities with very few lines of code.

Rules for password

Password pattern matching is probably the easiest use case for regular expressions. After all, password rules tend to be a bit convoluted at times. How many times have you seen a message similar to this when trying to sign up to a website: “Your password needs to be between 6 and 12 characters long and should have, at least, an uppercase letter, a lowercase letter, a symbol, a number, and, ideally, a combination of letters that you’ll never be able to remember by yourself in a million years”?

Granted, that last bit might’ve come from our own frustration with these password rules. However, the first part of it is real. And, yes, there is always a way to implement the checking logic for these rules without regular expressions, but, then again, what would be the fun in that?

Although, at first glance, it might seem like a lot of checks for a single RegExp, we’ll be using a series of positive lookaheads (go back and read about quantifiers in chapter 2 if you don’t remember them) to check for each condition individually.

Essentially, we have five conditions to meet:

  1. (cond1): It needs to have at least one number.
  2. (cond2): It needs to have at least one lowercase letter.
  3. (cond3): It needs to have at least one uppercase letter.
  4. (cond4): It needs to have at least one symbol.
  5. (cond5): It needs to be between 6 and 12 characters long.

If we were to write a pseudocode to validate our string, it would look like this:

Node.js
 IF (cond1 AND cond2 AND cond3 AND cond4 AND cond5) THEN
       //your password is valid
 END

That translates into a regular expression that looks like this:

Node.js
 ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@_&%$"!]).{6,12}$

Let’s dissect it to understand what’s going on here.

Lookaheads

The first thing to understand here is that the positive lookaheads we’re using here act as barriers. On every lookahead, we’re checking for one of the first four conditions, and if one of them fails, the RegExp engine will stop and return a no-match.

Another interesting thing to notice about these checks is the way they’re written. Back in chapter 2, the form we showed you was XX?=YY, meaning it will only match XX if it’s followed by YY, but here we have ?=YY. What’s the catch then? By omitting the XX part, we’re saying we’ll match our current position’s empty space (we’re sitting at the start of the word, right before the first character) only if it’s followed by YY. And, in our case, YY is: .*, followed by a character class. This translates to “any character, including no character, followed by the character class.” See where we’re going with this?

(?=.*\d) translates to: I’ll match your current empty position if it is followed by any number of characters (including none) that is then followed by a number (i.e., if the word has at least a number inside it).

(?=.*[a-z]) translates to: I’ll match your current empty position if it is followed by any number of characters (including none) that is then followed by a lowercase letter (i.e., if the word has at least a lowercase letter inside it).

(?=.*[A-Z]) translates to: I’ll match your current empty position if it is followed by any number of characters (including none) that is then followed by an uppercase letter (i.e., if the word has at least one uppercase letter inside it).

(?=.*[@_&%$"!]) translates to: I’ll match your current empty position if it is followed by any number of characters (including none) that is then followed by one of these characters: @, _, &, %, $, ", or !(i.e., if the word has at least one symbol inside it).

Length of the string

If the above four conditions are met, then the engine will reach the .{6,12} portion. This means any set of characters as long as they’re between 6 and 12. By itself, this wouldn’t be very secure, since this would match any password as long as they’re the correct length. However, since we’ve added all the lookaheads before it, we’re sure that if the engine reached this section, all the other conditions are met.

Everything is one word

Finally, once everything’s been tested and all the conditions are met, we need to make sure the match is not partial inside a larger, invalid, string. In order to do that, we wrap the regular expression inside the ^ and characters, which (as you should already know) reference the start and end of the string, respectively.