Skip to content

PasswordStrength

Edit this page

Validates that the given password has reached the minimum strength required by the constraint. The strength of the password is not evaluated with a set of predefined rules (include a number, use lowercase and uppercase characters, etc.) but by measuring the entropy of the password based on its length and the number of unique characters used.

Basic Usage

The following constraint ensures that the rawPassword property of the User class reaches the minimum strength required by the constraint. By default, the minimum required score is 2.

1
2
3
4
5
6
7
8
9
10
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength]
    protected $rawPassword;
}

Available Options

minScore

type: integer default: PasswordStrength::STRENGTH_MEDIUM (2)

The minimum required strength of the password. Available constants are:

  • PasswordStrength::STRENGTH_WEAK = 1
  • PasswordStrength::STRENGTH_MEDIUM = 2
  • PasswordStrength::STRENGTH_STRONG = 3
  • PasswordStrength::STRENGTH_VERY_STRONG = 4

PasswordStrength::STRENGTH_VERY_WEAK is available but only used internally or by a custom password strength estimator.

1
2
3
4
5
6
7
8
9
10
11
12
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength([
        'minScore' => PasswordStrength::STRENGTH_VERY_STRONG, // Very strong password required
    ])]
    protected $rawPassword;
}

message

type: string default: The password strength is too low. Please use a stronger password.

The default message supplied when the password does not reach the minimum required score.

1
2
3
4
5
6
7
8
9
10
11
12
// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    #[Assert\PasswordStrength([
        'message' => 'Your password is too easy to guess. Company\'s security policy requires to use a stronger password.'
    ])]
    protected $rawPassword;
}

Customizing the Password Strength Estimation

7.2

The feature to customize the password strength estimation was introduced in Symfony 7.2.

By default, this constraint calculates the strength of a password based on its length and the number of unique characters used. You can get the calculated password strength (e.g. to display it in the user interface) using the following static function:

1
2
3
use Symfony\Component\Validator\Constraints\PasswordStrengthValidator;

$passwordEstimatedStrength = PasswordStrengthValidator::estimateStrength($password);

If you need to override the default password strength estimation algorithm, you can pass a Closure to the PasswordStrengthValidator constructor (e.g. using the service closures).

First, create a custom password strength estimation algorithm within a dedicated callable class:

1
2
3
4
5
6
7
8
9
10
11
12
namespace App\Validator;

class CustomPasswordStrengthEstimator
{
    /**
     * @return PasswordStrength::STRENGTH_*
     */
    public function __invoke(string $password): int
    {
        // Your custom password strength estimation algorithm
    }
}

Then, configure the PasswordStrengthValidator service to use your own estimator:

1
2
3
4
5
6
7
# config/services.yaml
services:
    custom_password_strength_estimator:
        class: App\Validator\CustomPasswordStrengthEstimator

    Symfony\Component\Validator\Constraints\PasswordStrengthValidator:
        arguments: [!closure '@custom_password_strength_estimator']
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version