A password policy enforcer for PHP and JavaScript

Related tags

password-policy
Overview

PasswordPolicy

A tool for checking and creating password policies in PHP and JS.

Installation

Use composer to setup an autoloader

php composer.phar install

Require the composer autoload file:

require_once 'vendor/autoload.php';

Usage:

To use, first instantiate the core policy object:

$policy = new \PasswordPolicy\Policy;

Then, add rules:

$policy->contains('lowercase', $policy->atLeast(2));

Supported rule helper methods are:

  • contains($class, $constraint = null, $description = ''): Checks to see if a password contains a class of chars

    Supported Short-Cut classes:

    • letter - a-zA-Z
    • lowercase - a-z
    • uppercase - A-Z
    • digit - 0-9
    • symbol - ^a-zA-Z0-9 (in other words, non-alpha-numeric)
    • null - \0
    • alnum - a-zA-Z0-9

    The second param is a constraint (optional)

  • length($constraint): Checks the length of the password matches a constraint

  • endsWith($class, $description = ''): Checks to see if the password ends with a character class.

  • startsWith($class, $description = ''): Checks to see if the password starts with a character class.

  • notMatch($regex, $description): Checks if the password does not match a regex.

  • match($regex, $description): Checks if the password matches the regex.

Supported Constraints:

The policy also has short-cut helpers for creating constraints:

  • atLeast($n): At least the param matches

    Equivalent to between($n, PHP_INT_MAX)

  • atMost($n): At most the param matches

    Equivalent to between(0, $n)

  • between($min, $max): Between $min and $max number of matches

  • never(): No matches

    Equivalent to between(0, 0)

Testing the policy

Once you setup the policy, you can then test it in PHP using the test($password) method.

$result = $policy->test($password);

The result return is a stdclass object with two members, result and messages.

  • $result->result - A boolean if the password is valid.

  • $result->messages - An array of messages

Each message is an object of two members:

  • $message->result - A boolean indicating if the rule passed

  • $message->message - A textual description of the rule

Using JavaScript

Once you've built the policy, you can call toJavaScript() to generate a JS anonymous function for injecting into JS code.

$js = $policy->toJavaScript();
echo "var policy = $js;";

Then, the policy object in JS is basically a wrapper for $policy->test($password), and behaves the same (same return values).

var result = policy(password);
if (!result.result) {
    /* Process Messages To Display Failure To User */
}

One note for the JavaScript, any regular expressions that you write need to be deliminated by / and be valid JS regexes (no PREG specific functionality is allowed).

Issues
  • Rules based on

    Rules based on "strength" and "entropy"

    Are you interested in these implementations for new rules? https://code.google.com/p/mrclay/source/browse/trunk/php/MrClay/NewPasswordValidator.php#300

    opened by mrclay 4
  • WIP for review

    WIP for review

    This has a bunch of ideas I'll document inline

    opened by mrclay 4
  • Tagging

    Tagging

    Could this package be tagged as version 1.0 or at least 0.x?

    opened by martinssipenko 2
  • Add umlaut character class shortcut

    Add umlaut character class shortcut

    Might be handy to avoid or include umlaut characters

    opened by t2d 2
  • Ensure, that actual length (not byte count) of password is checked

    Ensure, that actual length (not byte count) of password is checked

    Right now the strlen function is used to check password length. This works fine, when password consists of english alphabet.

    When Russian symbols are used in the password (use 3 bytes per 1 letter), then weaker password will pass the check. This PR uses mb_strlen function to solve that problem.

    opened by aik099 1
  • Fixed stupid typo

    Fixed stupid typo

    as in subject.. :)

    opened by radmen 0
  • The package is versioned by tagging

    The package is versioned by tagging

    In Packagist version of the package is set through tagging the repository

    opened by aik099 0
  • Normalize package name

    Normalize package name

    Changed package name to look like other packages from same author

    opened by aik099 0
  • Another typo fix

    Another typo fix

    Extracted from #3

    opened by aik099 0
  • Add

    Add "CombinatorRule"

    The CombinatorRule would:

    • accept:
      • array of rules as input
      • constraint (as all rules do)
    • test method will:
      • call the test method on each of rules given in constructor
      • add +1 on each sub-rule match
      • use constraint to check count of matched sub-rules
    • if not enough sub-rules matched then combine error messages from sub-rules using or (not sure this is best way to build error message)

    P.S.

    This proposal is far more easier to implement than one in #7.

    opened by aik099 0
  • Add unit tests

    Add unit tests

    Proposing to add unit tests and run them automatically using Travis CI.

    opened by aik099 0
  • Add rule for consecutive class symbols

    Add rule for consecutive class symbols

    The new rule can check if symbols from a given class go one after another in a password.

    For example in asf34ge password:

    • there 3 lowercase letters one after another
    • there are 2 lowercase letters one after another
    • there are 2 digits one after another

    Not sure how important this is, but http://www.passwordmeter.com/ substracts points when there are 3 or more.

    opened by aik099 0
  • Ensure regex starts with

    Ensure regex starts with "/" and ends with "/"

    The code, that transforms regex rule into a JavaScript assumes it starts with / and ends with /. In PHP however there are no such restriction. This way if somebody adds new regex rule using different delimiters it would result in JavaScript error.

    I see following options:

    • either enforce specific delimiter usage (the / specifically) - easier to do, but eposes fact, that JavaScript is generated inernally
    • or replace used delimiter with / when converting to JavaScript - better, but would require escaping new delimiter inside regex as well
    opened by aik099 0
  • Add combiner rules

    Add combiner rules

    E.g. ideas for rules:

    • At least N of given rules pass
    • Fewer than N of given rules fail
    opened by mrclay 2
  • Is setConstraint really needed in Rule interface?

    Is setConstraint really needed in Rule interface?

    Not obvious to me why.

    opened by mrclay 2
  • (WIP) Adds rule that password not appear in a blacklist

    (WIP) Adds rule that password not appear in a blacklist

    Feedback welcomed. E.g. the JS version should not block the password, right? I added a few comments to help IDE comprehension. I know this needs tests.

    opened by mrclay 2
  • Internationalization

    Internationalization

    I really liked this library. However I was wondering, since the messages are so coded inside the class, what about a way of doing i18n for the messages? Maybe symfony translator?

    opened by ivanrey 2
Owner
Anthony Ferrara
Anthony Ferrara
A password policy enforcer for PHP and JavaScript

PasswordPolicy A tool for checking and creating password policies in PHP and JS. Installation Use composer to setup an autoloader php composer.phar in

Anthony Ferrara 71 Jul 3, 2021
PHP Library to generate random passwords

Password Generator Library Simple library for generating random passwords. Requirements PHP >= 7.1 We only support PHP 7.3+ Installation Install Compo

Daniel Platt 231 Jun 30, 2021
A library for generating and validating passwords

PHP-PasswordLib Build Status Version The current version is considered Beta. This means that it is ready enough to test and use, but beware that you s

Anthony Ferrara 372 Jul 7, 2021
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.1k Jul 24, 2021
Realistic PHP password strength estimate library based on Zxcvbn JS

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the the Javascript zxcvbn p

Ben Jeavons 644 Jul 13, 2021
Python implementation of the portable PHP password hashing framework

Portable PHP password hashing framework implemented in Python. This Python implementation meant to be an exact port of the the original PHP version.

Rez 46 Nov 25, 2019
GenPhrase is a secure passphrase generator for PHP applications.

About GenPhrase is a secure passphrase generator for PHP applications. GenPhrase is based on passwdqc's pwqgen program. See http://www.openwall.com/pa

timoh 95 Jun 8, 2021