Skip to content

PasswordStrength

Warning: You are browsing the documentation for Symfony 7.0, which is no longer maintained.

Read the updated version of this page for Symfony 7.2 (the current stable version).

Validates that the given password has reached the minimum strength required by the constraint. The strength of the password is not evaluated with a set of predefined rules (include a number, use lowercase and uppercase characters, etc.) but by measuring the entropy of the password based on its length and the number of unique characters used.

Basic Usage

The following constraint ensures that the rawPassword property of the User class reaches the minimum strength required by the constraint. By default, the minimum required score is 2.

1
2
3
4
5
6
7
8
9
10
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength]
    protected $rawPassword;
}

Available Options

minScore

type: integer default: PasswordStrength::STRENGTH_MEDIUM (2)

The minimum required strength of the password. Available constants are:

  • PasswordStrength::STRENGTH_WEAK = 1
  • PasswordStrength::STRENGTH_MEDIUM = 2
  • PasswordStrength::STRENGTH_STRONG = 3
  • PasswordStrength::STRENGTH_VERY_STRONG = 4

PasswordStrength::STRENGTH_VERY_WEAK is available but only used internally or by a custom password strength estimator.

1
2
3
4
5
6
7
8
9
10
11
12
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength([
        'minScore' => PasswordStrength::STRENGTH_VERY_STRONG, // Very strong password required
    ])]
    protected $rawPassword;
}

message

type: string default: The password strength is too low. Please use a stronger password.

The default message supplied when the password does not reach the minimum required score.

1
2
3
4
5
6
7
8
9
10
11
12
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength([
        'message' => 'Your password is too easy to guess. Company\'s security policy requires to use a stronger password.'
    ])]
    protected $rawPassword;
}
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version