Check password strength / safety with PHP and Regex

Password Validation with PHP and Regular Expressions

What is a good password? Your birthday, favorite star or first school, car, ...? None of them, because all similar passwords are very easy to crack.

My golden rule for safe-passwords is simple: Google or any search engine should NOT find any result for your password-string. But do not search for your password without changing some characters, because it will be visible as clear-text to all networks between your pc and Google server.

Another rule: make it hard for password-crackers: Use long passwords with letters, CAPS, numbers and sybols.

Let check a password strength with PHP. This is a simple and long example for php beginners.


$pwd = $_POST['pwd'];

if( strlen($pwd) < 8 ) {
	$error .= "Password too short! 
"; } if( strlen($pwd) > 20 ) { $error .= "Password too long!
"; } if( strlen($pwd) < 8 ) { $error .= "Password too short!
"; } if( !preg_match("#[0-9]+#", $pwd) ) { $error .= "Password must include at least one number!
"; } if( !preg_match("#[a-z]+#", $pwd) ) { $error .= "Password must include at least one letter!
"; } if( !preg_match("#[A-Z]+#", $pwd) ) { $error .= "Password must include at least one CAPS!
"; } if( !preg_match("#\W+#", $pwd) ) { $error .= "Password must include at least one symbol!
"; } if($error){ echo "Password validation failure(your choise is weak): $error"; } else { echo "Your password is strong."; }

Short example with Regex:
And this is the short version of that pwd-check with regexp (lookahead / lookbehind / lookaround) using PHP's PCRE engine.

$pwd = $_POST['pwd'];

if (preg_match("#.*^(?=.{8,20})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\W).*$#", $pwd)){
    echo "Your password is strong.";
} else {
    echo "Your password is not safe.";

You can use "\d" instead of "[a-z]" and "\W" instead of non-word characters, symbols. You can make a manual list of most used sybols like [#.-_,$%&!].

Numbers, letters, CAPS:
Remember most users dont like passwords with symbols(because of keyboard differences), you can exclude symbol-check. Just check length, letters, caps and numbers.

$pwd = $_POST['pwd'];

if (preg_match("#.*^(?=.{8,20})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*$#", $pwd)){
    echo "Your password is good.";
} else {
    echo "Your password is bad.";

Sometimes it is better to do it with javascript before visitor send form.


bad password examples

here is a small list of bad selections


For good passwords make sentences and save the first letter of them. And keep the first half on a paper.

Password check


First of all thanks a lot for the script. I have put this script in a web application, its really working great.



Thanks for this post. Very useful!

Check Password

how can i check if password contains 2 digits, 2 alphabets, 2 special chars ?

i did not test but it should

i did not test but it should work
for 2 exactly
for 2 or more


Thanks for the tutorial. Works great! How about if you want to validate your email address using $_POST super global? Thanks again.

password checking

how can i check if password contains spaces or not?

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <b> <pre> <h1> <h2> <h3> <h4> <h5> <h6> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <div> <style><img> <br> <blockquote>
  • Lines and paragraphs break automatically.
  • You may insert videos with [video:URL]

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image. is a free online community for webdevelopers and beginners. Anybody can share their code, articles, tips, tutorials, code-examples or other webdesign related material on the site. Newbies can submit their questions and reply to existing questions. CW does not guarantee or warrant reliability of code, data and information published on the site. Use the site on your own risk. The site takes no responsibility of direct or indirect loss or any kind of harm to its users. The site also doesn't take responsibility of infected files or source code with any kind of infection or viruses, worms, spywares, malwares, trojan horses. CW reserves the right to edit, move, or delete any of content for any reason.