PasswordStrength
Validates that the given password has reached the minimum strength required by the constraint. The strength of the password is not evaluated with a set of predefined rules (include a number, use lowercase and uppercase characters, etc.) but by measuring the entropy of the password based on its length and the number of unique characters used.
Applies to | property or method |
Class | PasswordStrength |
Validator | PasswordStrengthValidator |
Basic Usage
The following constraint ensures that the rawPassword
property of the
User
class reaches the minimum strength required by the constraint.
By default, the minimum required score is 2
.
1 2 3 4 5 6 7 8 9 10
// src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
#[Assert\PasswordStrength]
protected $rawPassword;
}
Available Options
minScore
type: integer
default: PasswordStrength::STRENGTH_MEDIUM
(2
)
The minimum required strength of the password. Available constants are:
PasswordStrength::STRENGTH_WEAK
=1
PasswordStrength::STRENGTH_MEDIUM
=2
PasswordStrength::STRENGTH_STRONG
=3
PasswordStrength::STRENGTH_VERY_STRONG
=4
PasswordStrength::STRENGTH_VERY_WEAK
is available but only used internally
or by a custom password strength estimator.
1 2 3 4 5 6 7 8 9 10 11 12
// src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
#[Assert\PasswordStrength([
'minScore' => PasswordStrength::STRENGTH_VERY_STRONG, // Very strong password required
])]
protected $rawPassword;
}
message
type: string
default: The password strength is too low. Please use a stronger password.
The default message supplied when the password does not reach the minimum required score.
1 2 3 4 5 6 7 8 9 10 11 12
// src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
#[Assert\PasswordStrength([
'message' => 'Your password is too easy to guess. Company\'s security policy requires to use a stronger password.'
])]
protected $rawPassword;
}
Customizing the Password Strength Estimation
7.2
The feature to customize the password strength estimation was introduced in Symfony 7.2.
By default, this constraint calculates the strength of a password based on its length and the number of unique characters used. You can get the calculated password strength (e.g. to display it in the user interface) using the following static function:
1 2 3
use Symfony\Component\Validator\Constraints\PasswordStrengthValidator;
$passwordEstimatedStrength = PasswordStrengthValidator::estimateStrength($password);
If you need to override the default password strength estimation algorithm, you
can pass a Closure
to the PasswordStrengthValidator
constructor (e.g. using the service closures).
First, create a custom password strength estimation algorithm within a dedicated callable class:
1 2 3 4 5 6 7 8 9 10 11 12
namespace App\Validator;
class CustomPasswordStrengthEstimator
{
/**
* @return PasswordStrength::STRENGTH_*
*/
public function __invoke(string $password): int
{
// Your custom password strength estimation algorithm
}
}
Then, configure the PasswordStrengthValidator service to use your own estimator:
1 2 3 4 5 6 7
# config/services.yaml
services:
custom_password_strength_estimator:
class: App\Validator\CustomPasswordStrengthEstimator
Symfony\Component\Validator\Constraints\PasswordStrengthValidator:
arguments: [!closure '@custom_password_strength_estimator']