Skip to content

PasswordStrengthValidator logic always return Weak even for strong password #57074

@ucscode

Description

@ucscode

Symfony version(s) affected

7.0.*

Description

I am encountering an issue with the PasswordStrength constraint in Symfony. While using the PasswordStrength::STRENGTH_WEAK level for password validation, even strong passwords are being flagged as "very weak" and preventing form submission.

TestCase
  • Password: #Q_81($r7 (This is just an example of the password used)
  • Password Constraint Configuration
new PasswordStrength([
    'minScore' => PasswordStrength::STRENGTH_WEAK
])

How to reproduce

Create a registration form with email and password ensuring that password constraints is set to have minScore as PasswordStrength::STRENGTH_WEAK then submit the form with a stronger password.

The password to submit should contains uppercase, lowercase, specialchars and numbers but should not be more than 9 characters in length.

Possible Solution

The problem boils down to the PasswordStrengthValidator::estimateStrength() method on this code section:

$pool = $lower + $upper + $digit + $symbol + $control + $other;
$entropy = $chars * log($pool, 2) + ($length - $chars) * log($chars, 2);
        
return match (true) {
    $entropy >= 120 => PasswordStrength::STRENGTH_VERY_STRONG,
    $entropy >= 100 => PasswordStrength::STRENGTH_STRONG,
    $entropy >= 80 => PasswordStrength::STRENGTH_MEDIUM,
    $entropy >= 60 => PasswordStrength::STRENGTH_WEAK,
    default => PasswordStrength::STRENGTH_VERY_WEAK,
};
  1. Improve the logic for the $entropy
  2. round off the $entropy value into integer. (Most times it evaluates to decimals lower than 50 (E.G 59.128700474979))

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions