This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Below example is for Windows failed login. The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 digit and 1 special character. This search also assumes you have the “User_Name” field being extracted from windows event logs. Adjust as needed.
source=WinEventLog:Security TaskCategory=Logon Keywords="Audit Failure" | eval password=if(match(User_Name, "^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\W])(?=.{10,})"), "Yes", "No") | stats count by password User_Name | search password=Yes