We initially used the following password regex:
^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$
This worked as expected, enforcing a minimum password length of 8 characters, including at least one uppercase letter, one lowercase letter…