rollerworks / passwordstrengthvalidator Goto Github PK

What do you think about adding php 7.2 and 7.3 to build and remove not supported php versions, like 5.6 and 7.0?

Is it possible that the MySQL (PDO) functionality for the "blacklisting password" is integrated into the code?

My SQLite database is now quite large and it will be difficult to keep this between the hosts up to date. The central MySQL server would be more practical at this point.

Make the ChainProvider lazy by using a PSR-11 service-container.

Hi,

The translations stopped working when a new default domain is set to the validators in the framework.yaml
validation: { translation_domain: messages }

Do you know how to fix this ?

I tried to add
missingNumbersMessage: "Le mot de passe doit contenir au moins un chiffre.
in my messages+intl-icu.fr.yaml but its not working too..

According to (new) NIST recommendations password strength enforcement should be avoided, but some practices (including the validation of leaked passwords) are still advised.

Therefor I propose to add the following validators:

PasswordRepeatedChars

Validates the password doesn't contained only repeated (unicode) characters.
(count the total amount of unique characters within a password, and ensure this at least minLength).

PasswordPublicInformation

Validates the password doesn't equal too "public" information. like email address, username, etc.

Options:

• passwordField: The field in the provided value (object or array) to use as the actual password.
• fields: an array of property-paths to check against.

The used message is rather generic like "The password must not be same as your public profile information. Including username, email address." rather than mentioning which field was equal.

PasswordCommonList

Validates the Password doesn't not exist a in common password list (similar too the blacklist validators).
Uses https://github.com/danielmiessler/SecLists/blob/master/Passwords/xato-net-10-million-passwords-1000000.txt

Note: Only includes password of 6 characters or more (because anything less is insecure by default).

This will deprecate the BlacklistValidator, as this requires manual maintenance of the stored list, and using different providers as not really needed.

Take inspiration (not code. GNU licensed) from https://github.com/nextcloud/password_policy

The brazilian portuguese translation of special chars requirement is wrong, as shown in the image below.
As I'm from Brazil, I'd suggest translating it to: "A senha deve conter pelo menos um caractere especial.".

Like some kind of presets?

For example, http://password-policy-testing.wikidot.com/results

It will be great if can be implemented a client side function so the user can watch the password strength when enters it.

The Spanish translation file currently contains the same message for Your password must include at least one letter. than for Your password must be at least {{length}} characters long. instead of the right translation.

We need a Spanish-speaking contributor to provide the right message here.

There is one duplicate line, and one typo which needs to be fixed:

<trans-unit id="2">
<source>Your password must include at least one letter.</source>
<target>Пароль должен содержать, по крайней мере, один специальный символ.</target>
</trans-unit>

<trans-unit id="16">
<source>rollerworks_password.tip.special_chars</source>
<target>добавить специальнгые символы</target>
</trans-unit>

I use the Validator per PHP8 Attributes:

#[RollerworksPassword\PasswordStrength(minLength: 6, minStrength: 3)]
private string $plainPassword;

When i open the register-form, following exception occurs:

The options "minStrength" must be set for constraint "Rollerworks\Component\PasswordStrength\Validator\Constraints\PasswordStrength".

PHPStorm says:
Named arguments order does not match parameters order
When i change the Param order the same error is shown.

A Symfony 4.3 project has a User entity configured with @ORM\InheritanceType("JOINED"). In this configuration adding the constraints namespace Rollerworks\Component\PasswordStrength\Validator\Constraints and then @RollerworksPassword\PasswordStrength(minLength=7, minStrength=3) to the password field is not effective. Submitting a password such as abc does not trigger a validation error.

Symfony validators exhibit this behavior as well. Instead, those validators are configured in the FormType. For example:

                ->add('plainPassword', RepeatedType::class, array(
                    'type' => PasswordType::class,
                    'mapped' => false,
                    'constraints' => [new NotBlank(['message' => "Password may not empty"])],
...

In this circumstance, however, adding the namespace to the FormType and the constraint new RollerworksPassword(['minLength' => 7, 'minStrength' => 3]) to the constraints parameter results in the error

Attempted to load class "Constraints" from namespace "Rollerworks\Component\PasswordStrength\Validator".

How should the validator be configured in this situation?

User table configuration

/**
 * @ORM\Table(name="usertable")
 * @ORM\Entity
 * @ORM\Entity(repositoryClass="App\Repository\UserRepository")
 * @ORM\InheritanceType("JOINED")
 * @ORM\DiscriminatorColumn(name="type", type="string")
 * @ORM\DiscriminatorMap({"staff" = "Staff", "volunteer" = "Volunteer", "admin"="Admin"})
 * @UniqueEntity(fields="email", message="Email already registered")
 */

psr/log is currently still restricted to 1.0 while 2.0 is perfectly valid.

Minor reminder for myself.

This was something I originally planned but never implemented, add an provider option that allows to use a different provider then the default.

The validation message for the PwnedPassword constraint should be pluralized based on the use_count, to allow writing correct sentences in all locales.

Due to the way the Symfony translator works, this would be a BC break only if you update the source message (transChoice breaks if a pluralized message does not contain the right alternative for the pluralization, but does not break when the provided message is not pluralized at all in the translation).
Btw, this is a good reason to use translation keys rather than English messages as source (which is already done for half of the translations). Having an English message as source which is not the actual English translation might be confusing.

When converting from Annotations to Attributes you should go from:

@RollerworksPassword\PasswordStrength(minLength=8, minStrength=5)

to

#[RollerworksPassword\PasswordStrength(minLength: 8, minStrength: 5)]

This is not possible at the moment because of a missing constructor

Is it possible to translate? the text inserts?

e.g. uppercase letters, very weak, strong
i tried every lang.key but no success, i translated alreade the full sentences but not this inserts.

thank you.

Translations are not loaded. I have to manually copy the file. Is the problem related to the missing DependencyInjection folder?

Currently, the constraint will reject any password found at least once on pwnedpasswords.com. While this is indeed the safest behavior (and so a sensible default), it means blocking half a billion passwords currently.
The blog post announcing the launch of the v2 (which is used here) recognizes this usability nightmare, and explains that this is the reason why a count is provided for each password: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#eachpasswordnowhasacountnexttoit

I would be great to allow configuring the threshold at which passwords should be blocked (the existing behavior corresponds to threshold=1)