Password Policy Builder (Regex Generator)

Building a password validation regex by hand is fiddly — getting the lookaheads right, escaping symbol classes, picking the right anchors. This tool lets you toggle each requirement (min length, max length, must contain uppercase / lowercase / digit / symbol, forbid spaces, forbid the user's email), and outputs a working regex, a JS validation function, and an HTML pattern attribute you can drop into an <input>.

Generated regex

HTML pattern attribute

JavaScript validator

Test it

How to use the Password Policy Builder (Regex Generator)

Toggle each rule; the regex, HTML pattern attribute, and JavaScript snippet at the bottom update live. Drop the pattern string straight into an <input type="password" pattern="..."> for native browser validation; use the JavaScript snippet on the server for actual enforcement (never rely on client-side validation alone).

The "Test it" box at the bottom shows whether the candidate password passes — along with which specific rules it fails, so you can tune the policy interactively.

What is the Password Policy Builder (Regex Generator)?

A password policy is the set of constraints a system enforces on user-chosen passwords. Common requirements: minimum length, character-class diversity (upper / lower / digit / symbol), maximum length, forbid spaces, forbid the username or email substring.

NIST SP 800-63B (2017, updated 2024) recommends against heavy composition rules — they encourage predictable substitutions (Password1!) without adding entropy. Instead, NIST suggests minimum 8 characters (ideally 15+), check against breach lists, no maximum, no forced rotation. Long passphrases (4+ random words) provide more entropy per character of user effort than complex short passwords.

That said, many compliance frameworks (PCI-DSS, HIPAA, SOC 2) and risk-averse organizations still mandate composition rules. This tool generates both styles — pure-length minimum (NIST-aligned) and full composition rules (compliance-aligned). For password breach checking, pair with our Password Leak Check tool.

For the technical generation, the regex uses positive lookaheads ((?=.*[A-Z])) — each rule is an independent lookahead that doesn't consume input, so they can be composed in any order. The main expression then matches the full length range.

Common use cases

  • Sign-up forms — paste the HTML pattern into the registration password field for instant browser feedback.
  • API password enforcement — use the JS snippet on the backend (Node) or translate it to your stack's regex.
  • Compliance documentation — show auditors the exact regex enforced by your policy.
  • Onboarding scripts — validate that user-imported passwords meet the new policy before requiring rotation.
  • Browser extensions / dev tools — quickly generate a policy for a one-off internal tool.

Frequently asked questions

Why not just require length and forget composition rules?

NIST agrees — but compliance often forces composition rules. This tool supports both styles.

Does HTML <code>pattern</code> show good error messages?

No — the browser shows "Please match the requested format". Pair with title attribute or custom JS for user-friendly messaging.

How do I forbid the username or email?

That requires runtime comparison, not a regex. Use the JS snippet and add a check against the live username field value.

Why use lookaheads instead of one combined character class?

A single character class like [A-Za-z0-9!@#]+ means "any character from this set" — it doesn't enforce that at least one of each appears. Lookaheads are the standard way to assert "must contain X" without consuming.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: