[a-zA-Z0-9]+
But you have bad password requirements.
They betray the unprofessionalism of developers who implement such requirements.
This is a sign that the password is in an open (not hashed) form in the database.
This provokes making weak passwords.
It looks like a student handicraft.
If restrictions are introduced, then they are minimal:
- the password must not be empty. Everything.
However, warnings should be given if:
- the password contains Cyrillic, or any characters that are difficult to type on any arbitrary keyboard. The big problem is a password with unicode characters if you want to enter it on a smartphone. A big problem with Cyrillic if you want to log in from a computer in Turkey on vacation, losing, for example, your phone.
- the password is too short;
- the password hash is in the list of the most common passwords;
- the password looks like it was typed with inverted caps-lock.
These warnings should be visible, but should not prevent you from creating such a password. You can only discuss what concerns the list of the most common passwords, let's say the thousands of the most popular. Well, short (less than 6 characters).
The password should be hashed with the newly generated salt. You need to store the salt next to the hash. You can also specify the name of the hashing algorithm next to it. Right on the same line. This will not reduce security, but it will save you from the problems associated with switching to new hashing algorithms.

https://ru.stackoverflow.com/questions/761716/%D0%...
For twenty years now, this problem has been solved using regular expressions.
Googling in five minutes