Service provider to use the zxcvbn project by @dropbox in Laravel 5.4 and above

1.4.0 2022-04-18 19:45 UTC

This package is auto-updated.

Last update: 2022-11-18 21:02:18 UTC


Build Status Code Coverage Software License

This package provides a validator which uses Dropbox's zxcvbn password strength estimator; it uses the PHP implementation from bjeavons.


This package can be installed through Composer.

composer require rebelinblue/laravel-zxcvbn

In Laravel 5.5 the package will auto-register the service provider. In Laravel 5.4 you must register this service provider manually in config/app.php by adding REBELinBLUE\Zxcvbn\ZxcvbnServiceProvider::class to the providers array

There is also an optional facade for Zxcvbn; in Laravel 5.5 it will be auto-registered. In Laravel 5.4 you must register the facade manually by adding the following to the aliases array in config/app.php

    'Zxcvbn' => REBELinBLUE\Zxcvbn\ZxcvbnFacade::class,

Optionally, you can publish the translations for this package with, however it is only required if you wish to change them

php artisan vendor:publish --provider="REBELinBLUE\Zxcvbn\ZxcvbnServiceProvider"


If you have added the alias you can access Zxcvbn from anywhere in your code using the façade


use Zxcvbn;

class MyCustomClass
    public function someMethod()
        $strength = Zxcvbn::passwordStrength('Pa$$w0rd');

However, you probably want to use it as a validator. The package add a single rule "zxcvbn"



$input = [ /* user input */ ];
$validator = Validator::make($input, [
    'password' => 'required|min:6|zxcvbn',

There are 2 optional parameters, the required score from 0 to 4 and a comma separate list of other fields to compare against, for example to ensure a strong password which doesn't contain the username or email you would use

'password' => 'required|min:6|zxcvbn:4,username,email',

The scores are rated as follows:

  • 0 - Too guessable: risky password. (guesses < 10^3)
  • 1 - Very guessable: protection from throttled online attacks. (guesses < 10^6)
  • 2 - Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
  • 3 - Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • 4 - Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)