^\S*(?=\S{8,})(?=\S*[a-z])(?=\S*[A-Z])(?=\S*[\d])\S*$

From the fine folks over at Zorched.

来自Zorched的优秀人士。

• ^: anchored to beginning of string
• \S*: any set of characters
• (?=\S{8,}): of at least length 8
• (?=\S*[a-z]): containing at least one lowercase letter
• (?=\S*[A-Z]): and at least one uppercase letter
• (?=\S*[\d]): and at least one number
• $: anchored to the end of the string

• ^: 锚定到字符串的开头
• \S*: 任何字符集
• (?=\S{8,}): 长度至少为 8
• (?=\S*[a-z]): 包含至少一个小写字母
• (?=\S*[A-Z]): 和至少一个大写字母
• (?=\S*[\d]): 和至少一个数字
• $: 锚定到字符串的末尾

To include special characters, just add (?=\S*[\W]), which is non-word characters.

要包含特殊字符，只需添加(?=\S*[\W])，即非单词字符。

I find that doing it in one big regex is a bit of a code maintenance nightmare. Splitting it up is far easier to figure out for someone else looking at your code, and it allows you to give more specific error messages as well.

我发现用一个大的正则表达式来做这件事有点像代码维护的噩梦。拆分它更容易让其他人查看您的代码，并且它还允许您提供更具体的错误消息。

$uppercase = preg_match('@[A-Z]@', $password);
$lowercase = preg_match('@[a-z]@', $password);
$number    = preg_match('@[0-9]@', $password);

if(!$uppercase || !$lowercase || !$number || strlen($password) < 8) {
  // tell the user something went wrong
}

One possible regex pattern is:

一种可能的正则表达式模式是：

/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/

As in this example.

在这个例子中。

But you really shouldn't limit passwords!

但你真的不应该限制密码！

Admit it. As a developer we have done more to contribute to the failure of our customer's and user's online security because we are too stubborn or lazy to handle passwords properly. Just look at some of the fruit of our labor:

承认吧。作为开发人员，我们为客户和用户的在线安全失败做出了更多贡献，因为我们太固执或懒惰而无法正确处理密码。看看我们的一些劳动成果：

Password must be between 5 and 32 characters in length. Valid characters include letters, numbers, and underscore.

Password must be between 6 and 12 characters in length. Valid characters include letters and numbers.

Password must be a minimum of 8 characters and contain at least one capital letter, a number and a special character such as an underscore or exclamation point.

密码长度必须在 5 到 32 个字符之间。有效字符包括字母、数字和下划线。

密码长度必须在 6 到 12 个字符之间。有效字符包括字母和数字。

密码必须至少为 8 个字符，并且至少包含一个大写字母、一个数字和一个特殊字符，例如下划线或感叹号。

Then there is this gem. The original requirements were a minimum of 8 characters. Accidentally putting in 7 characters causes an error to appear before the user:

然后就是这颗宝石。最初的要求是至少 8 个字符。不小心输入 7 个字符会导致在用户面前出现错误：

Password Limitation Gone Wrong Note the tag line. Irony?

密码限制出错 请注意标语行。讽刺？

I could go on here, but I think you get the point. We have written code to support this nonsense, wrapping our heads around the right regex to account for every case. Agonizing over transmission, hashing and storage. We've talked about this so much the situation has even received proper pop culture status with its memorialization on xkcd.

我可以继续说下去，但我想你明白了。我们编写了代码来支持这种胡说八道，将我们的头脑围绕在正确的正则表达式上以解释每种情况。为传输、散列和存储而苦恼。我们已经讨论了这么多，这种情况甚至通过在 xkcd 上的纪念而获得了适当的流行文化地位。

There is no doubt our intentions were good. After all, users and customers cannot be expected to protect themselves properly. They don't create strong passwords, they use the word 'password' as their password more often than not. They don't heed the warnings, the news stories or the horror exrpressed by friends who have suffered through identity theft. The hacking of large retail chains phases them very little. We, as developers, set out to help our users avoid these pitfalls. I will alledge our attempts fell short and may have even contributed to the problem.

毫无疑问，我们的意图是好的。毕竟，不能指望用户和客户妥善保护自己。他们不创建强密码，他们经常使用“密码”一词作为密码。他们不理会遭受身份盗用的朋友所表达的警告、新闻报道或恐惧。对大型零售连锁店的黑客攻击很少会分阶段进行。作为开发人员，我们着手帮助我们的用户避免这些陷阱。我会说我们的尝试失败了，甚至可能导致了这个问题。

Very likely we've made it worse.

我们很可能让情况变得更糟。

By placing arcane restrictions on passwords we have actually forced our users into a bad way of thinking and therefore made them seek the path of least resistance, simple, hackable passwords. We did this because we were used to restrictions on us. Sysadmins limited us to 8 characters so we projected the limit on to the rest of the world. It is time we stopped and learned how to handle any length of password with any character included. We may want to exclude white spaces from the password, but other than that we shouldn't place any restrictions on passwords.

通过对密码设置神秘的限制，我们实际上迫使我们的用户陷入了一种糟糕的思维方式，因此使他们寻求阻力最小、简单、可破解的密码。我们这样做是因为我们习惯了对我们的限制。系统管理员将我们限制为 8 个字符，因此我们将限制投射到世界其他地方。是时候停下来学习如何处理包含任何字符的任何长度的密码了。我们可能希望从密码中排除空格，但除此之外我们不应该对密码设置任何限制。

Then we can encourage good security practices like passphrases or random words. Users, once they discover this, will be blissfully happy they don't have to remember some goofy combination of letters and numbers like f@rtp00p.

然后我们可以鼓励良好的安全实践，如密码或随机词。用户一旦发现这一点，就会非常高兴，因为他们不必记住诸如 f@rtp00p 之类的一些愚蠢的字母和数字组合。

I can see you rolling your eyes. It means you have to learn how to properly hash passwords and how to compare entered passwords with the hashes. You'll have to toss some really hard won regex. Heaven forbid you might have to refactor some code! Databases can hold very large hashed passwords and we should take advantage of the capability.

我能看到你翻白眼。这意味着您必须学习如何正确散列密码以及如何将输入的密码与散列值进行比较。您将不得不扔掉一些真正来之不易的正则表达式。天哪，你可能不得不重构一些代码！数据库可以保存非常大的散列密码，我们应该利用这种能力。

Keep in mind the general security of the data is on me, the developer along with the sysadmin and others. The security of a user's account is on them and I shouldn't do anything to hold them back. Personally I do not care what my users have for their passwords. All I do when users create their passwords is provide a strength meter and some basic guidelines:

请记住，数据的一般安全由我、开发人员以及系统管理员和其他人负责。用户帐户的安全在他们身上，我不应该做任何事情来阻止他们。就我个人而言，我不在乎我的用户有什么密码。当用户创建密码时，我所做的就是提供强度计和一些基本准则：

"We have found using passphrases or multiple word combinations to be the most secure when it comes to preventing a hacker, who is trying to crack your login information, from being successful."

“我们发现，在防止试图破解您的登录信息的黑客成功方面，使用密码短语或多个单词组合是最安全的。”

What should you do?

你该怎么办？

PHP's built-in functionshandle password security perfectly, spaces, special characters and all.. If you're using a PHP version less than 5.5 you can use the password_hash()compatibility pack.

PHP 的内置函数可以完美地处理密码安全、空格、特殊字符等等。如果您使用的 PHP 版本低于 5.5，则可以使用password_hash()兼容包。

We need to remove the limitations on passwords and free up the users to own their security online. Are you in?

我们需要取消对密码的限制，让用户自由地拥有自己的在线安全。你在吗？

PHP regular expression for strong password validation

用于强密码验证的 PHP 正则表达式

The link above looks like the regex you want. You could try something like the code below:

上面的链接看起来像你想要的正则表达式。你可以尝试类似下面的代码：

if(preg_match((?=^.{8,}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$), $_POST['password']):

echo 'matched';

else:

echo 'not matched';

endif;

This checks for min. 1 number and also min/max chars:

这检查分钟。1 个数字以及最小/最大字符：

^(?=.*\d)(?!.*\s).{4,8}$