Lee Willis

 

Enforce user password strength

October 18, 2016 by Lee | 0 comments

I’ve worked with Drupal & WordPress for the majority of my projects for many years. For a lot of projects that are content-centric they can make a good starting point, and minimize the amount of custom work that needs to be done.

Starting with WordPress or Drupal gives you a user framework, permissions, content management, easy content display, and a wealth of prebuilt modules / plugins to get your project off to a quick start.

However, they do have their limitations, and they’re not for every project. More recently I’ve been working with Laravel as a development framework on a number of projects that made sense to build from the ground-up. Established Laravel agencies / developers probably already have a set of add-ons that they regularly use to build out common features, but for someone relatively new to the framework, a lot of my time has been spent finding the building blocks to fill in missing bits of the puzzle.

I’m going to cover a number of these in future articles (backups / WYSIWYG editing / content filtering) in future articles of the series, but today I’m going to talk about user registration.

Laravel has scaffolding built out for user management, including registration, and password management. However – the default setup doesn’t do anything to enforce password rules / guidelines on users. One of my recent projects includes users registering for a service, and I wanted to make sure that they weren’t using too simple passwords. WordPress does this out of the box, and Drupal has plenty of modules to choose from, but for Laravel I had to look for something to plug in.

The library I settled on was zxcvbn-php :

Realistic PHP password strength estimate library based on Zxcvbn JS
https://github.com/bjeavons/zxcvbn-php
108 forks.
817 stars.
28 open issues.

Recent commits:

This is a PHP implementation of the Javascript zxcvbn project from Dropbox and @lowe, and works really nicely. It’s a general purpose library – so can be used with any PHP project. Just give it an entered password, and it will evaluate it for you, allowing you to choose what level of passwords you want to accept. Read the Dropbox link, or this Xkcd cartoon for background on the sort of things it checks for.

Wiring it up to Laravel was a small job (If there’s any interest I can write that up separately), essentially just extending Laravel’s validation framework, and setting the validation control on the RegisterController.

Image credit: https://xkcd.com/936/

  1. Stuff I’ve used
  2. Error tracking with Sentry
  3. Autotrack for Google Analytics
  4. WordPress performance tracking with Time-stack
  5. Enforce user password strength
  6. WYSIWYG with Summernote
  7. Backing up your Laravel app
  8. Adding Google Maps to your Laravel application
  9. Activity logging in Laravel
  10. Image handling in PHP with Intervention Image
  11. Testing Laravel emails with MailThief
  12. Assessing software health
  13. IP Geolocation with MaxMind’s GeoLite2
  14. Uptime monitoring with Uptime Robot
  15. Product tours with Hopscotch
  16. Background processing for WordPress
  17. Using oEmbed resources in Laravel

Leave a Reply

Required fields are marked *.