For anyone looking for an advanced password policy.
//ADD RULES LIKE THIS 'var rule1 = {'hint': gs.getMessage('Minimum 8 characters'),'regex':'^.{8,}$'};'
//AND PUSH THEM IN THE RULES ARRAY FOR ADDING NEW RULES.
(function executePasswordRuleScript() {
var rules = new Array();
var rule1 = {'hint': gs.getMessage('Minimum 9 characters'),'regex':'^.{9,}$'};
var rule2 = {'hint': gs.getMessage('Minimum 1 lowercase character'),'regex':'((.*?[a-z]).*?)'};
var rule3 = {'hint': gs.getMessage('Minimum 1 uppercase character'),'regex':'((.*?[A-Z]).*?)'};
var rule4 = {'hint': gs.getMessage('Minimum 1 number'),'regex':'((.*?[0-9]).*?)'};
var rule5 = {'hint': gs.getMessage('Minimum 1 special character'),'regex': '((.*?[@$#!%^&*]).*?)'};
var rule6 = {'hint': gs.getMessage('Maximum 100 characters'),'regex':'^.{0,100}$'};
var rule7 = {'hint': gs.getMessage('Do not include "rest" or "super"'),'regex': '(?i)^((?!foo|bar).)*$'};
rules.push(rule1, rule2, rule3, rule4, rule5, rule6, rule7);
return rules;
})();
in particular rule 7 to exclude any passwords that contain certain words (foo or bar). This behaves differently to the excluded password list of direct matches.
Tip:
using a tool like https://regex101.com/ (Select the Java 8 interpretation mode ('flavor'))
