Your code looks fine to me. You might want to alert the user (or at least abort the program) if the match doesn't succeed, though.

You seem to have about the right amount of paranoia :-) Just remember that it's better to match for well-formed input instead of trying to match "bad" input. You're doing that correctly here. Also, mysql char/text/blob columns will generally handle any input that is short enough, as long as you use placeholders or $dbh->quote. You might have other reasons to restrict/quote input, though. For example, if you print user input to an HTML page, you'll probably want to use $cgi->escapeHTML(), and for a phone number, you might not want alphabetic characters...

Underscore is not part of the [A-Za-z0-9] pattern. Fortunately \w is equivalent to [A-Za-z0-9_], so you can save a few keystrokes :-)

By the way; I'd probably give users a little more characters to use in their passwords ( what about !@#$%^&*()_+{}{}:;.,<>" and ?).