The Laravel Zxcvbn package is a validation rule that estimates password strength using a PHP port of Dropbox's dropbox/zxcvbn JS package. It considers using user inputs as well to determine a score for password guessability:
// In your validation rulesuse Illuminate\Validation\Rules\Password;use Ziming\LaravelZxcvbn\Rules\ZxcvbnRule; $request->validate([ 'name' => ['required'] 'email' => ['required', 'email'], 'password' => [ 'required', 'confirmed', 'min:8', new ZxcvbnRule([ request('email'), request('name'), ]), ],]); // Examples using zxcvbn-php$weak = $zxcvbn->passwordStrength('password', $userData); // 0 - extremely guessable$strong = $zxcvbn->passwordStrength('correct horse battery staple'); // 4 - very unguessableYou can define a ZXCVBN_MIN_SCORE configuration value to determine when validation should fail, based on this scale provided by the underlying zxcvbn-php package. The default is 3 but depending on your needs, you can configure it to match any of the following:
0means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 01is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 12is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks3is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario4is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario
💻 You can get started with this package on GitHub: ziming/laravel-zxcvbn.
It's important to remember that Laravel has excellent password rules out of the box, including the ability to ensure a password was not present in a previous data leak. See the validation documentation for more details:
use Illuminate\Validation\Rules\Password; Password::min(8) ->letters() ->mixedCase() ->numbers() ->symbols() ->uncompromised();
