A Contao bundle that validates user passwords against your password policy

Fund package maintenance!

Installs: 3 500

Dependents: 0

Suggesters: 0

Security: 0

Stars: 8

Watchers: 5

Forks: 7

Open Issues: 3


1.1.1 2023-06-06 07:22 UTC

This package is auto-updated.

Last update: 2024-07-05 09:22:14 UTC



A Contao bundle that validates user passwords against your password policy.


  • Validate a password against your organization policies
  • Force members to do a password-change


Choose the installation method that matches your workflow!

Installation via Contao Manager

Search for terminal42/contao-password-validation in the Contao Manager and add it to your installation. Finally, update the packages.

Manual installation

Add a composer dependency for this bundle. Therefore, change in the project root and run the following:

composer require terminal42/contao-password-validation

Depending on your environment, the command can differ, i.e. starting with php composer.phar … if you do not have composer installed globally.

Then, update the database via the Contao install tool.


Password validation

Add the following configuration parameters to your app/config/config.yml:
(Skip options that you do not need)

    min_length: 10
    max_length: 20
      uppercase: 1
      lowercase: 1
      numbers: 1
      other: 1
    other_chars: "+*ç%&/()=?"
    password_history: 10
    change_days: 90
    haveibeenpwned: 1
    min_length: 10
    haveibeenpwned: 1
Parameter Purpose
password_history: Keep track of the latest n passwords, and force the users not to choose one of their recent passwords.
change_days: Ask the user to change their password after certain days.
haveibeenpwned: Check the user password against known data breaches reported to ';--have i been pwned?. The configuration allows you to specify an integer to define the minimum number of data breaches the password needs to occur in to fail password validation.


  1. Create a "password-change" page and place a password-change module on it. Select this page as password-change page in the page root.
  2. You can now force members to change their passwords by ticking the corresponding checkbox in the member edit-mask.

Add your own password validator

You can add your own validation rule, e.g. a dictionary check.

Create a class that implements PasswordValidatorInterface. Then, create and tag a corresponding service.

    class: App\PasswordValidation\Validator\Dictionary
      - { name: terminal42_password_validation.validator, alias: dictionary }


This bundle is released under the MIT license