Passwords are an essential feature of many web applications. Symfony provides many tools to hash, migrate and handle passwords according to the most secure recommended practices. In 2019 we even introduced a constraint to check that a given password is not compromised because of a security leak.
In Symfony 6.3 we're introducing a new constraint to validate the strength of the given passwords. Technically, it works like many other similar public libraries, checking if the entropy of the given password reaches a certain threshold.
By default, the password is required to have a medium strength, but there are four levels to configure:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
// src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
// ...
#[Assert\PasswordStrength]
protected $rawPassword;
#[Assert\PasswordStrength(minScore: PasswordStrength::STRENGTH_VERY_STRONG)]
protected $rawAdminPassword;
}That's all. Using this constraint in your applications is simple for you, but can be helpful for your users and customers. Consider adding it whenever you use passwords and read the PasswordStrength constraint docs to learn more about it.
There is a small syntax error in your example:
Missing brackets:
#[Assert\PasswordStrength(['minScore' => PasswordStrength::STRENGTH_VERY_STRONG])]... or use named parameter:
#[Assert\PasswordStrength(minScore: PasswordStrength::STRENGTH_VERY_STRONG)]@Thomas thanks for telling me. This is fixed now.
This is a great new validator thanks for that, but imho there should be an explanation of the different levels. Low, medium, strong etc. does not really tell what is considered as low, medium or strong.
Also there should be a better error message presented to the user, just "The password strength is too low. Please use a stronger password." is not what a user should see.
Amazing! Now I don't have to install a third-party bundle. Thank you for the great addition!