(?=(.*\W.*){0,}) doesn't mean 0 non-alphanumeric characters. It actually signifies at least 0 non-alphanumeric characters. For a password without any non-alphanumeric characters, you can use either (?!.*\W) or (?=\w*$).
A more straightforward approach would be to avoid the \W look-ahead and utilize \w{8,} instead of .{8,}.
Furthermore, it's worth noting that \w encompasses \d. To specifically target alphabetic characters, you can employ either [^\W\d] or [A-Za-z].
/^(?=(?:.*?\d){2})(?=(?:.*?[A-Za-z]){2})\w{8,}$/
This pattern validates passwords with a minimum of two digits, two alphabetical characters, a length of at least 8 characters, and containing only alphanumeric characters (including underscore).
\w is equivalent to [A-Za-z0-9_]\d is represented by [0-9]\s denotes [ \t\n\r\f\v]
Edit:
For broader browser compatibility, consider implementing the following JavaScript code:
var re = new RegExp("^(?=(?:.*?\\d){2})(?=(?:.*?[A-Za-z]){2})\\w{8,}$");
if (re.test(password)) { /* valid */ }
Edit2: The recent update in your query impacts the initial response.
You can still utilize the provided JavaScript code by substituting the regular expression pattern as per your original requirements.
Edit3: I now understand your point.
/^(?=.*[a-z].*[a-z])(?=.*[0-9].*[0-9]).{3,}/.test("password123") // matches
/^(?=.*[a-z].*[a-z])(?=.*[0-9].*[0-9]).{4,}/.test("password123") // no match
/^(?=.*[a-z].*[a-z]).{4,}/.test("password123") // matches
Interestingly, (?= ) behaves differently in Internet Explorer.
Edit4: Further insights:
To address your concern, consider this solution:
/^(?=.{8,}$)(?=(?:.*?\d){2})(?=(?:.*?[A-Za-z]){2})(?=(?:.*?\W){1})/
new RegExp("^(?=.{8,}$)(?=(?:.*?\\d){2})(?=(?:.*?[A-Za-z]){2})(?=(?:.*?\\W){1})")
It's crucial for the (?=.{8,}$) part to be placed at the beginning of the expression.