No need to use a regex.

If the difference in length between both passwords is 3 or more, you already have your 3 character difference.

Otherwise check the first character of the shorter string against the first character of the longer string, do the same with the second, third, ... characters, adding one to the difference in length between two passwords: as soon as your sum is three, the new password is OK.

If you run out of characters and still the sum is less than three, the new password is wrong.

However, if you simply add one new character to the beginning of the old password to make a new password, this algoritm will say this is OK and that is perhaps not what you are looking for.

If that is indeed the case, do the following:

1. tally the different characters of each password in a hash for each password (the key being the character, the value being the number of times this character appears in the password).
2. Then take the absolute difference between the value of each key in the hash, compared to the same key in the other hash. (you have to make certain that both hashes have the same keys, so you may have to add keys with value zero for characters which appear in one password but not in the other).
3. Sum these absolute differences. If it is less than three, the new password is not OK, otherwise it is.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law