A password policy enforcer for PHP and JavaScript

Overview

PasswordPolicy

A tool for checking and creating password policies in PHP and JS.

Installation

Use composer to setup an autoloader

php composer.phar install

Require the composer autoload file:

require_once 'vendor/autoload.php';

Usage:

To use, first instantiate the core policy object:

$policy = new \PasswordPolicy\Policy;

Then, add rules:

$policy->contains('lowercase', $policy->atLeast(2));

Supported rule helper methods are:

  • contains($class, $constraint = null, $description = ''): Checks to see if a password contains a class of chars

    Supported Short-Cut classes:

    • letter - a-zA-Z
    • lowercase - a-z
    • uppercase - A-Z
    • digit - 0-9
    • symbol - ^a-zA-Z0-9 (in other words, non-alpha-numeric)
    • null - \0
    • alnum - a-zA-Z0-9

    The second param is a constraint (optional)

  • length($constraint): Checks the length of the password matches a constraint

  • endsWith($class, $description = ''): Checks to see if the password ends with a character class.

  • startsWith($class, $description = ''): Checks to see if the password starts with a character class.

  • notMatch($regex, $description): Checks if the password does not match a regex.

  • match($regex, $description): Checks if the password matches the regex.

Supported Constraints:

The policy also has short-cut helpers for creating constraints:

  • atLeast($n): At least the param matches

    Equivalent to between($n, PHP_INT_MAX)

  • atMost($n): At most the param matches

    Equivalent to between(0, $n)

  • between($min, $max): Between $min and $max number of matches

  • never(): No matches

    Equivalent to between(0, 0)

Testing the policy

Once you setup the policy, you can then test it in PHP using the test($password) method.

$result = $policy->test($password);

The result return is a stdclass object with two members, result and messages.

  • $result->result - A boolean if the password is valid.

  • $result->messages - An array of messages

Each message is an object of two members:

  • $message->result - A boolean indicating if the rule passed

  • $message->message - A textual description of the rule

Using JavaScript

Once you've built the policy, you can call toJavaScript() to generate a JS anonymous function for injecting into JS code.

$js = $policy->toJavaScript();
echo "var policy = $js;";

Then, the policy object in JS is basically a wrapper for $policy->test($password), and behaves the same (same return values).

var result = policy(password);
if (!result.result) {
    /* Process Messages To Display Failure To User */
}

One note for the JavaScript, any regular expressions that you write need to be deliminated by / and be valid JS regexes (no PREG specific functionality is allowed).

Comments
  • Rules based on

    Rules based on "strength" and "entropy"

    Are you interested in these implementations for new rules? https://code.google.com/p/mrclay/source/browse/trunk/php/MrClay/NewPasswordValidator.php#300

    opened by mrclay 4
  • Ensure, that actual length (not byte count) of password is checked

    Ensure, that actual length (not byte count) of password is checked

    Right now the strlen function is used to check password length. This works fine, when password consists of english alphabet.

    When Russian symbols are used in the password (use 3 bytes per 1 letter), then weaker password will pass the check. This PR uses mb_strlen function to solve that problem.

    opened by aik099 1
  • Add

    Add "CombinatorRule"

    The CombinatorRule would:

    • accept:
      • array of rules as input
      • constraint (as all rules do)
    • test method will:
      • call the test method on each of rules given in constructor
      • add +1 on each sub-rule match
      • use constraint to check count of matched sub-rules
    • if not enough sub-rules matched then combine error messages from sub-rules using or (not sure this is best way to build error message)

    P.S.

    This proposal is far more easier to implement than one in #7.

    opened by aik099 0
  • Add rule for consecutive class symbols

    Add rule for consecutive class symbols

    The new rule can check if symbols from a given class go one after another in a password.

    For example in asf34ge password:

    • there 3 lowercase letters one after another
    • there are 2 lowercase letters one after another
    • there are 2 digits one after another

    Not sure how important this is, but http://www.passwordmeter.com/ substracts points when there are 3 or more.

    opened by aik099 0
  • Ensure regex starts with

    Ensure regex starts with "/" and ends with "/"

    The code, that transforms regex rule into a JavaScript assumes it starts with / and ends with /. In PHP however there are no such restriction. This way if somebody adds new regex rule using different delimiters it would result in JavaScript error.

    I see following options:

    • either enforce specific delimiter usage (the / specifically) - easier to do, but eposes fact, that JavaScript is generated inernally
    • or replace used delimiter with / when converting to JavaScript - better, but would require escaping new delimiter inside regex as well
    opened by aik099 0
  • (WIP) Adds rule that password not appear in a blacklist

    (WIP) Adds rule that password not appear in a blacklist

    Feedback welcomed. E.g. the JS version should not block the password, right? I added a few comments to help IDE comprehension. I know this needs tests.

    opened by mrclay 2
Owner
Anthony Ferrara
Anthony Ferrara
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Jul 19, 2022
Validates passwords against PHP's password_hash function using PASSWORD_DEFAULT. Will rehash when needed, and will upgrade legacy passwords with the Upgrade decorator.

Password Validator Password Validator validates password_hash generated passwords, rehashes passwords as necessary, and will upgrade legacy passwords.

Jeremy Kendall 142 Dec 25, 2022
A library for generating and validating passwords

PHP-PasswordLib Build Status Version The current version is considered Beta. This means that it is ready enough to test and use, but beware that you s

Anthony Ferrara 371 Nov 24, 2022
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.2k Dec 30, 2022
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 256 Dec 9, 2022
GenPhrase is a secure passphrase generator for PHP applications.

About GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/pa

timoh 110 Nov 30, 2022
A library for property-based policy evaluation

PropAuth: Property-based policy evaluation Performing evaluations on credentials for authentication or sets of permissions on users has its limitation

psec.io 59 Nov 29, 2021
Collection of scripts, thoughts about CSP (Content Security Policy)

CSP useful, a collection of scripts, thoughts about CSP I'm testing and using CSP (Content Security Policy), and here are some thoughts, resources, sc

Nicolas Hoffmann 417 Jan 3, 2023
This package brings back the policy authorization for MenuItem

This package brings back the policy authorization for MenuItem. Also, the well-known canSee method is added to MenuItem and MenuSection. Empty menu sections are automatically hidden.

Norman Huth 9 Nov 30, 2022
Laravel Users (Roles & Permissions, Devices, Password Hashing, Password History).

LARAVEL USERS Roles & Permissions Devices Password Hashing Password History Documentation You can find the detailed documentation here in Laravel User

Pharaonic 8 Dec 14, 2022
­čöĺ Password Exposed Helper Function - Check if a password has been exposed in a data breach.

?? Password Exposed Helper Function This PHP package provides a password_exposed helper function, that uses the haveibeenpwned.com API to check if a p

Jordan Hall 212 Oct 24, 2022
User authentication REST API with Laravel (Register, Email verification, Login, Logout, Logged user data, Change password, Reset password)

User Authentication API with Laravel This project is a user authentication REST API application that I developed by using Laravel and MySql. Setup Fir

Yusuf Ziya YILDIRIM 3 Aug 23, 2022
A easy way to install your basic yii projetc, we have encrypt database password in phpfile, my class with alot funtions to help you encrypt and decrypt and our swoole server install just run ./yii swoole/start and be happy!

Yii 2 Basic Project Template with swoole and Modules Yii 2 Basic Project Template is a skeleton Yii 2 application best for rapidly creating small proj

null 3 Apr 11, 2022
Antware NinjaCrypter is an experimental username and password cookie string class for PHP

Antware NinjaCrypter is an experimental username and password cookie string class for PHP. For study case this crypter is based on password crypting ideology but can also encrypt username and password for storing cookie string that way your login details will not be exposed by hackers that search through cookie string.

Chukwu Remijius 1 Nov 25, 2021
PHP web based Password Manager for business and personal use.

sysPass - Systems Password Manager Join us in the Gitter chat room: PHP web based Password Manager for business and personal use. AES-256 encryption i

Rub├ęnD 896 Dec 26, 2022
One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP

otp-thing One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP Introduction This started

Daniel Krusky 25 Apr 29, 2022
Laravel breeze is a PHP Laravel library that provides Authentication features such as Login page , Register, Reset Password and creating all Sessions Required.

About Laravel breeze To give you a head start building your new Laravel application, we are happy to offer authentication and application starter kits

null 3 Jul 30, 2022
Gestor de Contrase├▒as basado en Laravel 8 + PHP 8 + MySQL 8. Self-hosted Password Manager based on Laravel 8 + PHP 8 + MySQL 8.

English Gestor de Contrase├▒as Esta aplicaci├│n permite una gesti├│n completa de contrase├▒as para m├║ltiples tipos de servicios (web, ssh, tel├ęfonos, wifi

Lito 134 Jan 2, 2023
A package for Laravel One Time Password (OTP) generator and validation without Eloquent Model, since it done by Cache.

Laravel OTP Introduction A package for Laravel One Time Password (OTP) generator and validation without Eloquent Model, since it done by Cache. The ca

Lim Teck Wei 52 Sep 6, 2022