How to Use Regular Expressions to Check Password Strength

In this previous tutorial we created a simple registration form.

Websites often require a specific strength for a password. In this lesson we will use RegEx to test the password strength.

For our password strength we will specify the following requirements:

  • a minimum of 8 characters
  • at least one uppercase letter
  • at least one number (digit)
  • at least one of the following special characters [email protected]#$%^&*-

We will start with a basic PHP file and assume that the user has already input their password which we are storing in the variable $password.

<?php
$password = 'abcDeF1#';
$pattern = '';
if(the password is strong enough){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

Line 2: we have stored the user password in the variable $password

Line 3: this is where we will define the pattern we need to match

Lines 4 to 8: we will test if the password is strong enough and output a message

Line 4: we need to test if the password is strong enough. At the moment we just have pseudo code. We will use a PHP function called preg_match()

The preg_match() function

Currently we just have some psuedo code on line 4. We will use the preg_match function to check if the password matches the defined pattern as follows:

<?php
$password = 'abcDeF1#';
$pattern = '';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

Now we need to define the pattern.

Defining Delimiters

The first step is to define the delimiters, which are just forward slashes:

<?php
$password = 'abcDeF1#';
$pattern = '/ /';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

Defining the Start and End of the Pattern

Now we define the start and end of the pattern using ^ for the start and $ for the end:

<?php
$password = 'abcDeF1#';
$pattern = '/^$/';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

Minimum of 8 Characters

The first condition for the password is that it must have at least 8 characters:

<?php
$password = 'abcDeF1#';
$pattern = '/^.{8,}$/';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

We have added .{8,}

The dot means any character.

{8,) means at least 8 characters and no maximum.

If we wanted to specify that the password must be exactly 8 characters then we would use .{8}

If we wanted to specify a minimum of 8 characters and a maximum of 20 characters for the password then we would use .{8,20}

Minimum of 1 Uppercase Character

Next, we need to have a minimum of 1 uppercase character:

<?php
$password = 'abcDeF1#';
$pattern = '/^(?=.*[A-Z]).{8,}$/';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

We have added (?=.*[A-Z])

?= means look ahead through the password.

.* means look for any number of characters.

[A-Z] means look for any uppercase characters between A and Z inclusive.

Note that we have placed this part of the pattern BEFORE the minimum number check.

Minimum of 1 Number (Digit)

<?php
$password = 'abcDeF1#';
$pattern = '/^(?=.*[0-9])(?=.*[A-Z]).{8,20}$/';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

We have added (?=.*[0-9])

?= means look ahead through the password.

.* means look for any number of characters.

[0-9] means look for any digit between 0 and 9 inclusive.

Minimum of 1 of the Following Special Characters [email protected]#$%^&*-

At this point you can probably guess what you need to include.

<?php
$password = 'abcDeF1#';
$pattern = '/^(?=.*[[email protected]#$%^&*-])(?=.*[0-9])(?=.*[A-Z]).{8,20}$/';
if(preg_match($pattern, $password)){
   echo "Password strength is OK";
} else {
   echo "Password is not strong enough";
}

We have added (?=.*[[email protected]#$%^&*-])

?= means look ahead through the password.

.* means look for any number of characters.

[[email protected]#$%^&*-] means look for any of these characters.

Want to Learn More?

Become a member and get access to the member only area of this site here.

Comments

Your email address will not be published.

User Avatar

OMG!! You make this so easy. I have always struggled with regex and most of the tutorials skip lots of steps and don't explain the code all that well. This tutorial is excellent. My sincere thanks!

by Jake Hilter, 28-Dec-2015

User Avatar

You are very welcome, Jake. I am glad you enjoyed this tutorial.

by Patrick Morrow, 29-Dec-2015

PHP for Beginners

Enrol in the full course here

PHP, MySQL and PDO

Coming soon, a full course on using PHP, MySQL and PDO. Be notified as soon as the course goes live.