fusionspim/php-password-checker

This package is abandoned and no longer maintained. No replacement package was suggested.

Sense checks when a user picks a new password

Maintainers

Details

github.com/fusionspim/php-password-checker

Source

Issues

Installs: 2 589

Dependents: 0

Suggesters: 0

Security: 0

Stars: 7

Watchers: 4

Forks: 0

Open Issues: 1

5.0.1 2022-07-28 15:42 UTC

Requires

Requires (Dev)

MIT 79e10419fc54071c69c99d7c854028d3bdf20d94

validationpassword

This package is auto-updated.

Last update: 2022-11-29 10:32:20 UTC

README

Passwords must be at least 10 characters in length and not be commonly used - there's no means to override this.

Numeric looking passwords are rejected, to weed out obvious memorable dates and phone numbers.

All password checks are case insensitive.

$checker = new PasswordChecker;
$checker->validate('abc123'); // throws PasswordException (too short)
$checker->validate('password123'); // throws PasswordException (too common)
$checker->validate('123-456-7890'); // throws PasswordException (too numeric)
$checker->validate('31/12/1999'); // throws PasswordException (too numeric)
$checker->validate('we love php'); // returns true

That's it. Though you can add further (optional, but recommended) checks and restrictions.

Password reuse

Prevent password reuse by storing previous password hashes in your application and passing them in:

$checker = new PasswordChecker;
$checker->setPreviousPasswords($arrayOfHashes); // generated from password_hash()
$checker->validate($userSuppliedPassword);

Password confirmation

If you ask users to confirm their new password, you can pass that in too - simply to have all checks handled consistently:

$checker = new PasswordChecker;
$checker->setConfirmation($userSuppliedConfirmation);
$checker->validate($userSuppliedPassword);

User or application obvious

Provide a blacklist of words that are obvious in the context of the user/application. If they're within (i.e. not necessarily equal to) the user supplied password, validation will fail:

$checker = new PasswordChecker(['clem', 'fandango', 'MyAmazingApp']);
$checker->validate('myamazingapp'); // throws PasswordException
$checker->validate('myamazingapp123'); // throws PasswordException
$checker->validate('clemfandango'); // throws PasswordException
$checker->validate('fandango123'); // throws PasswordException

Complexity requirements

Complexity requirements can be enabled to require user passwords to contain a lower case letter, upper case letter, number and special character.

This is disabled by default, since it isn't a recommended approach.

$checker = new PasswordChecker;
$checker->setComplexityRequirements([
    PasswordChecker::REQUIRE_LOWERCASE,
    PasswordChecker::REQUIRE_UPPERCASE,
    PasswordChecker::REQUIRE_NUMBER,
    PasswordChecker::REQUIRE_SYMBOL
]);
$checker->validate('myamazingapp'); // throws PasswordException
$checker->validate('myamazingapp123'); // throws PasswordException
$checker->validate('myamazongpp123!'); // throws PasswordException
$checker->validate('Myamazingapp123!); // return true