Symfony
sponsored by SensioLabs
Menu
  • About
  • Documentation
  • Screencasts
  • Cloud
  • Certification
  • Community
  • Businesses
  • News
  • Download
  1. Home
  2. Documentation
  3. Reference
  4. Constraints
  5. NotCompromisedPassword
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud
Search by Algolia

Table of Contents

  • Basic Usage
  • Available Options
    • groups
    • message
    • payload
    • skipOnError
    • threshold

NotCompromisedPassword

Edit this page

NotCompromisedPassword

Validates that the given password has not been compromised by checking that it is not included in any of the public data breaches tracked by haveibeenpwned.com.

Applies to property or method
Class NotCompromisedPassword
Validator NotCompromisedPasswordValidator

Basic Usage

The following constraint ensures that the rawPassword property of the User class doesn't store a compromised password:

  • Annotations
  • Attributes
  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
8
9
10
11
12
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    /**
     * @Assert\NotCompromisedPassword
     */
    protected $rawPassword;
}
1
2
3
4
5
6
7
8
9
10
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\NotCompromisedPassword]
    protected $rawPassword;
}
1
2
3
4
5
# config/validator/validation.yaml
App\Entity\User:
    properties:
        rawPassword:
            - NotCompromisedPassword
1
2
3
4
5
6
7
8
9
10
11
12
<!-- config/validator/validation.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<constraint-mapping xmlns="http://symfony.com/schema/dic/constraint-mapping"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://symfony.com/schema/dic/constraint-mapping https://symfony.com/schema/dic/constraint-mapping/constraint-mapping-1.0.xsd">

    <class name="App\Entity\User">
        <property name="rawPassword">
            <constraint name="NotCompromisedPassword"></constraint>
        </property>
    </class>
</constraint-mapping>
1
2
3
4
5
6
7
8
9
10
11
12
13
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Component\Validator\Mapping\ClassMetadata;

class User
{
    public static function loadValidatorMetadata(ClassMetadata $metadata)
    {
        $metadata->addPropertyConstraint('rawPassword', new Assert\NotCompromisedPassword());
    }
}

In order to make the password validation, this constraint doesn't send the raw password value to the haveibeenpwned.com API. Instead, it follows a secure process known as k-anonymity password validation.

In practice, the raw password is hashed using SHA-1 and only the first bytes of the hash are sent. Then, the haveibeenpwned.com API compares those bytes with the SHA-1 hashes of all leaked passwords and returns the list of hashes that start with those same bytes. That's how the constraint can check if the password has been compromised without fully disclosing it.

For example, if the password is test, the entire SHA-1 hash is a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 but the validator only sends a94a8 to the haveibeenpwned.com API.

See also

When using this constraint inside a Symfony application, define the not_compromised_password option to avoid making HTTP requests in the dev and test environments.

Available Options

groups

type: array | string

It defines the validation group or groups of this constraint. Read more about validation groups.

message

type: string default: This password has been leaked in a data breach, it must not be used. Please use another password.

The default message supplied when the password has been compromised.

payload

type: mixed default: null

This option can be used to attach arbitrary domain-specific data to a constraint. The configured payload is not used by the Validator component, but its processing is completely up to you.

For example, you may want to use several error levels to present failed constraints differently in the front-end depending on the severity of the error.

skipOnError

type: boolean default: false

When the HTTP request made to the haveibeenpwned.com API fails for any reason, an exception is thrown (no validation error is displayed). Set this option to true to not throw the exception and consider the password valid.

threshold

type: integer default: 1

This value defines the number of times a password should have been leaked publicly to consider it compromised. Think carefully before setting this option to a higher value because it could decrease the security of your application.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
We stand with Ukraine.
Version:

Symfony 5.4 is backed by

Measure & Improve Symfony Code Performance

Measure & Improve Symfony Code Performance

Code consumes server resources. Blackfire tells you how

Code consumes server resources. Blackfire tells you how

↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

Avatar of Luc, a Symfony contributor

Thanks Luc for being a Symfony contributor

1 commit • 2 lines changed

View all contributors that help us make Symfony

Become a Symfony contributor

Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

Learn how to contribute

Symfony™ is a trademark of Symfony SAS. All rights reserved.

  • What is Symfony?
    • Symfony at a Glance
    • Symfony Components
    • Case Studies
    • Symfony Releases
    • Security Policy
    • Logo & Screenshots
    • Trademark & Licenses
    • symfony1 Legacy
  • Learn Symfony
    • Symfony Docs
    • Symfony Book
    • Reference
    • Bundles
    • Best Practices
    • Training
    • eLearning Platform
    • Certification
  • Screencasts
    • Learn Symfony
    • Learn PHP
    • Learn JavaScript
    • Learn Drupal
    • Learn RESTful APIs
  • Community
    • SymfonyConnect
    • Support
    • How to be Involved
    • Code of Conduct
    • Events & Meetups
    • Projects using Symfony
    • Downloads Stats
    • Contributors
    • Backers
  • Blog
    • Events & Meetups
    • A week of symfony
    • Case studies
    • Cloud
    • Community
    • Conferences
    • Diversity
    • Documentation
    • Living on the edge
    • Releases
    • Security Advisories
    • SymfonyInsight
    • Twig
    • SensioLabs
  • Services
    • SensioLabs services
    • Train developers
    • Manage your project quality
    • Improve your project performance
    • Host Symfony projects
    Deployed on
Follow Symfony
Search by Algolia