Lee Willis

Enforce user password strength

| 0 comments

I’ve worked with Drupal & WordPress for the majority of my projects for many years. For a lot of projects that are content-centric they can make a good starting point, and minimize the amount of custom work that needs to be done.

Starting with WordPress or Drupal gives you a user framework, permissions, content management, easy content display, and a wealth of prebuilt modules / plugins to get your project off to a quick start.

However, they do have their limitations, and they’re not for every project. More recently I’ve been working with Laravel as a development framework on a number of projects that made sense to build from the ground-up. Established Laravel agencies / developers probably already have a set of add-ons that they regularly use to build out common features, but for someone relatively new to the framework, a lot of my time has been spent finding the building blocks to fill in missing bits of the puzzle.

I’m going to cover a number of these in future articles (backups / WYSIWYG editing / content filtering) in future articles of the series, but today I’m going to talk about user registration.

Laravel has scaffolding built out for user management, including registration, and password management. However – the default setup doesn’t do anything to enforce password rules / guidelines on users. One of my recent projects includes users registering for a service, and I wanted to make sure that they weren’t using too simple passwords. WordPress does this out of the box, and Drupal has plenty of modules to choose from, but for Laravel I had to look for something to plug in.

The library I settled on was zxcvbn-php :

This is a PHP implementation of the Javascript zxcvbn project from Dropbox and @lowe, and works really nicely. It’s a general purpose library – so can be used with any PHP project. Just give it an entered password, and it will evaluate it for you, allowing you to choose what level of passwords you want to accept. Read the Dropbox link, or this Xkcd cartoon for background on the sort of things it checks for.

Wiring it up to Laravel was a small job (If there’s any interest I can write that up separately), essentially just extending Laravel’s validation framework, and setting the validation control on the RegisterController.

Image credit: https://xkcd.com/936/

Leave a Reply

Required fields are marked *.