what's wrong with this regex for password rules

Question

I'm trying for at least 2 letters, at least 2 non letters, and at least 6 characters in length:

^.*(?=.{6,})(?=[a-zA-Z]*){2,}(?=[0-9@#$%^&+=]*){2,}.*$

but that misses the mark on many levels, yet I'm not sure why. Any suggestions?

Answer 1

If you really want to use regular expressions, try this one:

(?=.{6})(?=[^a-zA-Z]*[a-zA-Z][^a-zA-Z]*[a-zA-Z])(?=[^0-9@#$%^&+=]*[0-9@#$%^&+=][^0-9@#$%^&+=]*[0-9@#$%^&+=])^.+$

This matches anything that is at least six characters long ((?=.{6,})) and does contain at least two alphabetic characters ((?=[a-zA-Z][^a-zA-Z]*[a-zA-Z])) and does contain at least two characters of the character set [0-9@#$%^&+=] ((?=[0-9@#$%^&+=][^0-9@#$%^&+=]*[0-9@#$%^&+=])).

Answer 2

While this type of test can be done with a regex, it may be easier and more maintainable to do a non-regex check. The regex to achieve this is fairly complex and a bit unreadable. But the code to run this test is fairly straight forward. For example take the following method as an implementation of your requirements (language C#)

public bool IsValid(string password) {
  // arg null check ommitted
  return password.Length >= 6 &&
         password.Where(Char.IsLetter).Count() > 2 &&
         password.Where(x => !Char.IsLetter(x)).Count() > 2;
}