-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Closed as not planned
Closed as not planned
Copy link
Description
Symfony version(s) affected
7.0.*
Description
I am encountering an issue with the PasswordStrength constraint in Symfony. While using the PasswordStrength::STRENGTH_WEAK
level for password validation, even strong passwords are being flagged as "very weak" and preventing form submission.
TestCase
- Password:
#Q_81($r7
(This is just an example of the password used) - Password Constraint Configuration
new PasswordStrength([
'minScore' => PasswordStrength::STRENGTH_WEAK
])
How to reproduce
Create a registration form with email and password ensuring that password constraints is set to have minScore
as PasswordStrength::STRENGTH_WEAK
then submit the form with a stronger password.
The password to submit should contains uppercase, lowercase, specialchars and numbers but should not be more than 9 characters in length.
Possible Solution
The problem boils down to the PasswordStrengthValidator::estimateStrength()
method on this code section:
$pool = $lower + $upper + $digit + $symbol + $control + $other;
$entropy = $chars * log($pool, 2) + ($length - $chars) * log($chars, 2);
return match (true) {
$entropy >= 120 => PasswordStrength::STRENGTH_VERY_STRONG,
$entropy >= 100 => PasswordStrength::STRENGTH_STRONG,
$entropy >= 80 => PasswordStrength::STRENGTH_MEDIUM,
$entropy >= 60 => PasswordStrength::STRENGTH_WEAK,
default => PasswordStrength::STRENGTH_VERY_WEAK,
};
- Improve the logic for the $entropy
- round off the $entropy value into integer. (Most times it evaluates to decimals lower than 50 (E.G 59.128700474979))
Additional Context
No response
czachor