Regex match a strong password with two or more special characters

I need to regex match a password field using javascript wit开发者_Python百科h the following requirements:

• At least 15 characters
• two or more lower case letters
• two or more upper case letters
• two or more digits
• two or more of the following special characters: !@#$%^&*-

I have a regex that takes care of MOST cases:

/^.*(?=.{15,})(?=.{2,}\d)(?=.{2,}[a-z])(?=.{2,}[A-Z])(?=.{2,}[\!\@\#\$\%\^\&\*\-]).*$/

The problem here is with the symbols, it works with:

P@ssw0rdP@ssw0rd
Pssw0rdPssw0rd@@
Pssw0rd@@Pssw0rd

But not:

@@Pssw0rdPssw0rd

I have a random password generator set up to exhaustively test this, so any ideas are greatly appreciated. Thanks!

---

/^(?=(?:.*[a-z]){2})(?=(?:.*[A-Z]){2})(?=(?:.*\d){2})(?=(?:.*[!@#$%^&*-]){2}).{15,}$/

---

Your lookaheads are wrong. The pattern

(?=.{2,}[class])

means to match 2 or more characters (no matter what characters), then followed by 1 character of the desired class. This is entirely different from "2 or more character of the desired class" you specified.

To correctly test if a character of desired class is in the text, use

(?=.*[class])

and since you want to check it twice, repeat the pattern

(?=.*[class].*[class])
# equivalent to (?=(?:.*[class]){2})

---

I'm not sure a single regexp is the way to go for this test.

Personally i'd implement it something like this: (treat as pseudo code, i haven't tested it)

function testPassword(pw) {
    var len = pw.length;
    if(len < 15) return false;
    if(pw.replace(/[a-z]/,'').length > len - 2) return false;
    if(pw.replace(/[A-Z]/,'').length > len - 2) return false;
    if(pw.replace(/[0-9]/,'').length > len - 2) return false;
    if(pw.replace(/[!@#$%^&*-]/,'').length > len - 2) return false;
    return true;
}

---

There are some good explanations already, so I'm just piling on ...

/^
(?= .{15} )
(?= (?:.*[[:lower:]]){2} )
(?= (?:.*[[:upper:]]){2} )
(?= (?:.*[[:digit:]]){2} )
(?= (?:.*[!@#$%^&*-]){2} )
/x