Password Policy Generator

Generate a password policy and its rules for your service.

The password policy generator turns a few choices — minimum length, character class requirements, maximum age, account lockout threshold and whether MFA is required — into a human-readable password policy plus a matching client-side validation regular expression. It outputs both Korean and English wording that you can paste straight into a security policy document, a sign-up form, or a development spec.

Everything runs entirely in your browser and no input ever leaves the page. Use it when you want to follow modern NIST guidance — prioritising length and avoiding forced periodic changes — while still expressing the minimum requirements your organisation needs in clear, copy-ready language.

Minimum length (chars)12 or more recommended. Length is the strongest factor.Maximum age (days)0 = no forced rotation (NIST guidance).Account lockout attempts0 = no lockout. 5–10 recommended.

Required character classes

Uppercase (A–Z)Lowercase (a–z)Digits (0–9)Symbols (!@#$ etc.)

Require multi-factor auth (MFA)

Summary

Minimum length	12
Required classes	uppercase, lowercase, digits
Maximum age	no rotation
Lockout	after 5 failures
MFA	required

Password policy wording

- Passwords must be at least 12 characters long.
- Must contain at least one uppercase letter (A–Z).
- Must contain at least one lowercase letter (a–z).
- Must contain at least one digit (0–9).
- No periodic forced change is required unless there is clear evidence of compromise.
- Accounts are temporarily locked after 5 consecutive failed logins.
- Multi-factor authentication (MFA) is required for all accounts.

Validation regex

^(?=.*[A-Z])(?=.*[a-z])(?=.*\d).{12,}$

What goes into the policy

The tool builds a policy from five dimensions. Each becomes a bullet in the generated wording, and the character-class requirements are also compiled into a regular expression you can drop into a sign-up form.

Minimum length: the fewest characters allowed. Length is the single strongest factor.
Character classes: which of uppercase, lowercase, digits and symbols are required.
Maximum age: how many days before a change is required (0 means no rotation).
Account lockout: how many failed attempts before the account is locked.
MFA: whether multi-factor authentication is mandatory.

NIST guidance: length first, avoid forced rotation

The US NIST Digital Identity Guidelines (SP 800-63B) argue that adequate length is far more effective than stacking up complexity rules. The key recommendations are:

Allow at least 8 characters, and ideally long passphrases up to 64 characters.
Rules that force specific character classes tend to produce predictable patterns such as Password1!.
Do not require periodic forced changes unless there is clear evidence of compromise. Frequent rotation leads to weaker passwords.
Screening against known-breached passwords and adding MFA is more effective than complexity rules.

This generator lets you set the maximum age to 0 (no rotation) so your policy can stay aligned with that guidance. Apply the validation regex it outputs alongside the wording to your sign-up form to handle both authoring the policy and validating it on the client in one place.

How to use the generated regex

The regex validates the selected character-class requirements together with the minimum length on the client. Each class is expressed as a lookahead — for example, at least one uppercase letter is (?=.*[A-Z]). Treat it as instant form feedback only; real authentication must re-validate length, breach status and more on the server.

Frequently asked questions

Is the generated policy or regex sent to a server?

No. All processing happens in your browser and neither your input nor the result is transmitted anywhere.

Is the output regex enough to validate passwords?

No. The regex is for instant feedback in a form. It checks length and character classes but does not block breached passwords or dictionary words, so real authentication must re-validate on the server.

Why does maximum age default to no forced change?

Current NIST guidance advises against periodic forced changes unless there is clear evidence of compromise, because frequent rotation tends to produce weaker, more predictable passwords.

How does the regex handle special characters?

Enabling the symbol requirement adds a lookahead checking for at least one character that is not a letter, digit or whitespace. To restrict to a specific symbol set, edit the character class in the generated pattern.

What minimum length should I choose?

NIST allows a minimum of 8 but recommends longer passphrases. For general services, 12 or more is a sensible default; for sensitive accounts such as administrators, set it higher.

Related tools

Web Security →

CSP Generator

Build a Content-Security-Policy header for your site's resources.

SRI Hash Generator

Generate Subresource Integrity hashes for external JS/CSS.

Security Headers Checker

Check and grade security headers like HSTS, CSP and X-Frame-Options.

Cookie Security Check

Check Secure, HttpOnly and SameSite flags on response cookies.

security.txt Checker

Check for /.well-known/security.txt and its required fields.

Mixed Content Checker

Find insecure http resources loaded on an HTTPS page.