Can someone give me the regex to match a valid AWS Cognito password - with numbers, special characters (their list), lower and upper case letters
The AWS Cognito default length limit is 6 characters and has it's own list of special characters
AWS Cognito Password Regex - Specific to AWS Cognito
Asked Answered
Updated Answer - March 2023
/^(?!\s+)(?!.*\s+$)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ])[A-Za-z0-9$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ]{8,256}$/
Explanation
/Indicates the start of a regular expression.^Beginning. Matches the beginning of the string.(?!\s+)Disallows leading spaces.(?!.*\s+$)Disallows trailing spaces.(?=.*[a-z])Requires lowercase letters.(?=.*[A-Z])Requires uppercase letters.(?=.*[0-9])Requires numbers.(?=.*[\^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ])Requires at least one special character from the specified set. (The non-leading, non-trailing space character is also treated as a special character.)[A-Za-z0-9^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ]{8,256}Minimum 8 characters from the allowed set, maximum 256 characters.$End. Matches the end of the string./Indicates the end of a regular expression.
The minimum character limit defaults to 8 but can be customised to a value between 6 and 99. The full length of a password however is limited to 256 characters (not 99).
Interactive Example
Documentation
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html
Inaccuracies in documentation
Cognito also has a "no leading or trailing spaces" rule in the default password requirements, but there are several docs out there that incorrectly state that "The space character is also treated as a special character". However, the current behaviour is actually "The non-leading, non-trailing space character is also treated as a special character".
To see the correct default password rules, view a user pool, click on the "Sign-in experience" tab, and click on "Contains at least 1 special character" to bring up a tooltip with the rules.
According to regex101.com the regex is invalid because a forward slash is not escaped. PLUS we had real problems using this regex in the deployed react version on an S3 bucket (locally it worked). Also I question that 6 chars is the default I think it's 8. –
Cognoscenti
@Cognoscenti sorry this gave you trouble - what was the issue? I see on regex101.com it complains when used in PHP - if you used it in React it should have been valid. Both PHP and JS seem happy with the forward slash escaped so I will update the answer. I also see 8 is now the default - again I will update. –
Chantay
+1 for @Cognoscenti 's comment about not working on S3. We faced the same issue...works perfectly in local environment but not when deployed to S3. Seems like odd behavior. Does anyone have a fix for this? –
Salamander
I had a similar problem with this regex where it worked locally but not in production (React SPA on AWS). I carefully retyped the regex letter by letter and it was fixed, so I think the problem was coming from exotic quotations when I had originally copy/pasted. Try this:
/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\^$*.\[\]{}\(\)?\-"!@#%&\/,><\':;|_~`])\S{8,99}$/ –
Langill @Salamander here is it deployed to S3 where it seems to work fine. awspasswordregex.s3-website-eu-west-1.amazonaws.com code is simple so view source if you want to see how it works. I will update the answer to use the regular quotations - thanks indigoi –
Chantay
Cognito defaults include =, - and +. Unfortunately they're not listed in the official documentation, but by default they are admitted by Cognito. These are taken straight from the Cognito AWS Console:
(^ $ * . [ ] { } ( ) ? - " ! @ # % & / \ , > < ' : ; | _ ~ `` + =) –
Alan Would be useful to add references to this answer to understand where it's come from/what specifications it's based on. –
Sholeen
@JonathanIrwin, I think using
\S is a rather large mistake in your regexp. Now this may have been a little different when you put the regexp together, however according to AWS today a password is allowed to contain upper & lower case basic latin letters, numbers, and special characters from the list. It must also contain fewer than 99 characters so you need to reduce the max length by 1. \S will allow anything that isn't whitespace, so as long as the password satisfies the "contains a *" lookaheads it can contain any other characters that aren't in the allowed set. Continued... –
Hornet I propose tightly defining the allowed character set of your regexp with:
/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\^$*.\[\]{}\(\)?\"!@#%&\/\\,><\':;|_~`=+\-])[a-zA-Z0-9\^$*.\[\]{}\(\)?\"!@#%&\/\\,><\':;|_~`=+\-]{8,98}$/ The current Cognito password requirements specifications are available here: docs.aws.amazon.com/cognito/latest/developerguide/…. (I'd add this answer myself but some bright spark closed this question because it looked similar to another one) –
Hornet Regarding regex for special characters, see below an up to date one :
/[\^$*.\[\]{}\(\)?"!@#%&\\\/,><\':;|_~`=+\- ]/; –
Arriola The 99 character limit is actually the cap on minimum password length. A Cognito password can be up to 256 characters in length. The minimum can be between 6 and 99 as per the docs. Also, contrary to the comments above, "The space character is also treated as a special character.". –
Amphitropous
@Amphitropous I see what you mean about the length. I will update the answer –
Chantay
Thank you @jfgilmore, you've caught a few bits that I missed from the spec so I'll update what I'm using accordingly. –
Hornet
@Andrew's Regex works better –
Jameyjami
The regex does not work if the password contains the char § –
Biceps
@Biceps any idea how to fix it? Does cognito accept that as a valid special character? –
Chantay
Yes Cognito allows that char. I would suggest adding
(.) at the end of the regex: /^(?!\s+)(?!.*\s+$)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ])[A-Za-z0-9$^*.[\]{}()?"!@#%&/\\,><':;|_~`=+\- ](.){8,256}$/ –
Biceps the Regex formula for Swift 5 is
"(.*[()!@^$*.?\\-@#%&\":;|><'_~`+=\\[\\],{}])"
These are the default requirements based on the AWS console settings and the current Cognito documentation:
- No leading or trailing spaces
- At least one uppercase basic Latin letter
- At least one lowercase basic Latin letter
- At least one Arabic numeral 1
- At least one of: ^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + -
- 8-256 characters
- Other than leading and trailing spaces, any characters are allowed, including spaces and emojis 2
1 The restriction to Arabic numerals is not specified in the documentation, but I experimented and found that other Unicode digits do not count toward this requirement
2 The accepted answer limits the allowed characters to the characters that are required, however more characters are allowed than are required. The Cognito documentation says, "After Amazon Cognito verifies that passwords contain the minimum required characters, your users' passwords can contain additional characters of any type up to the maximum password length." Cognito is perfectly happy with the following password, for instance: Ab!~1 🤢℉”•—”†„简体字.
This regex handles all of the above scenarios:
/^(?!\s+)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[\^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+-]).{8,256}(?<!\s)$/
Explanation:
^(?!\s+)No leading spaces(?=.*[A-Z])At least one uppercase letter(?=.*[a-z])At least one lowercase letter(?=.*[0-9])At least one digit(?=.*[\^$*.[\]{}()?"!@#%&/\\,><':;|_~`=+-])At least one of: ^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + - (listed in the same order as in the Cognito documentation).Other than leading and trailing spaces, any characters are allowed, including spaces and emojis{8,256}8-256 characters(?<!\s)$No trailing spaces
© 2022 - 2025 — McMap. All rights reserved.
/^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[=+\-^$*.\[\]{}()?"!@#%&/\\,><':;|_~`])\S{8,99}$/– Functionary