Useful password strength validation utilities for Yii Framework 2.0

Installs: 711 443

Dependents: 26

Suggesters: 0

Security: 0

Stars: 73

Watchers: 7

Forks: 47

Open Issues: 1


v1.5.7 2022-05-16 05:38 UTC

This package is auto-updated.

Last update: 2024-02-16 20:07:07 UTC


Stable Version Untable Version License Total Downloads Monthly Downloads Daily Downloads

This extension provides a couple of great password management utilities for Yii Framework 2.0. The extension allows password strength validation through your model. In addition, it provides an advanced password input widget, that allows you to display/hide text and show the password strength.

Release Changes

Refer the CHANGE LOG for details of various releases.


  • Ensure you have the right version of jQuery loaded (> v1.9.0).
  • In case you are upgrading from an older release, its recommended that you clean up your web assets, local browser cache, and restart your browsers before using the extension.


This is a password strength validator for your model attributes. The strength validator allows you to configure the following parameters for validating passwords or strings.

  1. Whether password contains an username
  2. Whether password contains an email string
  3. Minimum number of characters
  4. Maximum number of characters
  5. Whether spaces are allowed
  6. Minimum number of lower space characters
  7. Minimum number of upper space characters
  8. Minimum number of numeric / digit characters
  9. Minimum number of special characters
  10. Whether password is compromised and part of Have I Been Pwned lists.

Other features:

  1. Includes 5 presets (simple, normal, fair, medium, and strong). Instead of setting each parameter above, you can call a preset which will auto-set each of the parameters above.
  2. It includes both server and client validation.
  3. This can work with the PasswordInput widget (described next) as per your needs. The strength validation routines for both are a bit different. The PasswordInput widget focuses on displaying the strength only, and does not restrict the user input in any way.

NOTE: The StrengthValidator does not validate if the password field is required. You need to use Yii's required rule for this.


This is an advanced password input widget with configurable options and a dynamic strength meter based on the Strength Meter JQuery Plugin by Krajee. The widget provides various features as mentioned below:

  1. Allows you to show/ hide a password text (using bootstrap styled input addons). You can configure this option to be shown or not.
  2. Allows you to display an advanced password strength meter to calculate and show your password strength as you type.
  3. Allows you to control and position/style your meter based on templates.
  4. A password strength meter consists of the meter bar, the score, and the verdict.
  5. Uses Bootstrap 3.0 styling wherever possible with inbuilt Yii 2.0 ActiveField functionality.
  6. Works independent and complements the StrengthValidator.


You can see a demonstration here on usage of these functions with documentation and examples.


The preferred way to install this extension is through composer.

Note: Check the composer.json for this extension's requirements and dependencies. Read this web tip /wiki on setting the minimum-stability settings for your application's composer.json.

Either run

$ php composer.phar require kartik-v/yii2-password "@dev"

or add

"kartik-v/yii2-password": "@dev"

to the require section of your composer.json file.



// add this in your model
use kartik\password\StrengthValidator;

// use the validator in your model rules
public function rules() {
    return [
       	[['username', 'password'], 'required'],
       	[['password'], StrengthValidator::className(), 'preset'=>'normal', 'userAttribute'=>'username']


// add this in your view
use kartik\password\PasswordInput;
use kartik\widgets\ActiveForm; // optional

$form = ActiveForm::begin(['id' => 'login-form']);
echo $form->field($model,'username');
echo $form->field($model, 'password')->widget(PasswordInput::classname(), [
    'pluginOptions' => [
        'showMeter' => true,
        'toggleMask' => false


yii2-password is released under the BSD-3-Clause License. See the bundled LICENSE.md for details.