Stars: 141
Forks: 31
Pull Requests: 46
Issues: 19
Watchers: 5
Last Updated: 2022-07-13 10:03:21
Password-strength validator for Symfony
License: MIT License
Languages: PHP, Makefile
This package provides various password strength validators for the Symfony Validator component.
To use this bundle with a Symfony application use the RollerworksPasswordStrengthBundle.
Passwords can be validated using either strength-levels (weak, medium, strong etc) or by configuring explicit requirements (needs letters, numbers etc).
This library provides the same level of functionality as the PasswordStrengthBundle created by John Bafford.
To install this package, add rollerworks/password-strength-validator
to your composer.json:
$ php composer.phar require rollerworks/password-strength-validator
Now, Composer will automatically download all required files, and install them for you.
You need at least PHP 5.6 or PHP 7.0, mbstring is recommended but not required. For the provided blacklist providers you may need SQLite3 or PDO compatible driver.
Caution:
The password validators do not enforce that the field must have a value! To make a field "required" use the NotBlank constraint in combination with the password validator(s).
All examples assume you have the Composer autoloader already in your code, see also How to Install and Use the Symfony Components for more information.
Validates the passwords strength-level (weak, medium, strong etc).
Validates the passwords using explicitly configured requirements (letters, caseDiff, numbers, requireSpecialCharacter).
This validator is deprecated in favor of the PasswordCommonList Validator.
The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure. As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.
Alternatively the Symfony NotCompromisedPassword validator can be used for a more regularly updated list.
There are times you want forbid (blacklist) a password from usage.
Passwords are blacklisted using providers which can either be an array or (flat-file) database (which you can update regularly).
With the default installation the following providers can be used:
Noop: Default provider, does nothing.
Array: Simple in memory blacklist provider (not recommended for big lists)
Sqlite: Provides the blacklist using a SQLite3 database file.
Pdo: Provides the blacklist using the PDO extension.
Validates that the requested password was not found in a trove of compromised passwords found at https://haveibeenpwned.com/.
To enable this you must install the suggested package "guzzlehttp/psr7" as well as a HttpClient such as "php-http/guzzle6-adapter".
For transparency and insight into the release cycle, and for striving to maintain backward compatibility, this package is maintained under the Semantic Versioning guidelines as much as possible.
Releases will be numbered with the following format:
<major>.<minor>.<patch>
And constructed with the following guidelines:
For more information on SemVer, please visit http://semver.org/.
This library is released under the MIT license.
This is an open source project. If you'd like to contribute, please read the Contributing Guidelines. If you're submitting a pull request, please follow the guidelines in the Submitting a Patch section.