rollerworks/password-strength-validator

Password-strength validator for Symfony

v1.2.0 2019-05-24 09:08 UTC

README

This package provides various password strength validators for the Symfony Validator component.

To use this bundle with a Symfony application use the RollerworksPasswordStrengthBundle.

Passwords can be validated using either strength-levels (weak, medium, strong etc) or by configuring explicit requirements (needs letters, numbers etc).

This library provides the same level of functionality as the PasswordStrengthBundle created by John Bafford.

Installation

To install this package, add rollerworks/password-strength-validator to your composer.json:

$ php composer.phar require rollerworks/password-strength-validator

Now, Composer will automatically download all required files, and install them for you.

Requirements

You need at least PHP 5.6 or PHP 7.0, mbstring is recommended but not required. For the provided blacklist providers you may need SQLite3 or PDO compatible driver.

Basic Usage

Caution:

The password validators do not enforce that the field must have a value! To make a field "required" use the NotBlank constraint in combination with the password validator(s).

All examples assume you have the Composer autoloader already in your code, see also How to Install and Use the Symfony Components for more information.

Strength validation

Validates the passwords strength-level (weak, medium, strong etc).

Requirements validation

Validates the passwords using explicitly configured requirements (letters, caseDiff, numbers, requireSpecialCharacter).

Password blacklisting

There are times you want forbid (blacklist) a password from usage.

Passwords are blacklisted using providers which can either be an array or (flat-file) database (which you can update regularly).

With the default installation the following providers can be used.

  • Noop: Default provider, does nothing.

  • Array: Simple in memory blacklist provider (not recommended for big lists)

  • Sqlite: Provides the blacklist using a SQLite3 database file.

  • Pdo: Provides the blacklist using the PDO extension.

But building your own is also possible. Documentation on this is currently missing, see current providers for more information.

PwnedPassword

Validates that the requested password was not found in a trove of compromised passwords found at https://haveibeenpwned.com/.

To enable this you must install the suggested package "guzzlehttp/psr7" as well as a HttpClient such as "php-http/guzzle6-adapter".

Versioning

For transparency and insight into the release cycle, and for striving to maintain backward compatibility, this package is maintained under the Semantic Versioning guidelines as much as possible.

Releases will be numbered with the following format:

<major>.<minor>.<patch>

And constructed with the following guidelines:

  • Breaking backward compatibility bumps the major (and resets the minor and patch)
  • New additions without breaking backward compatibility bumps the minor (and resets the patch)
  • Bug fixes and misc changes bumps the patch

For more information on SemVer, please visit http://semver.org/.

License

This library is released under the MIT license.

Contributing

This is an open source project. If you'd like to contribute, please read the Contributing Guidelines. If you're submitting a pull request, please follow the guidelines in the Submitting a Patch section.