Password Validator 2.2.0 Released

Projects Jan 27, 2021

Version 2.2.0 of my PHP Password Validator has been released.

There is a fix to replace the supported PHP versions and Packagist version badges within the file with just images rather than link anywhere.

The big change for this release, however, is the introduction of a banned password list. This is pulled from a few sources of commonly used passwords which have been leaked, and are deemed to be "known". As a result, they will always return an entropy of 0.

When checking an input password, it will always check a lowercase version of the password against the word list. It is assumed that all upper and lowercase variants of the password are known e.g. q1w2e3r4t5y6 is treated the same as q1w2E3r4T5y6, and both return an entropy of 0.

It is possible to utilise your own banned password list as part of getEntropy. A new parameter has been added which takes an array of banned passwords you want to return an entropy of 0 for. This optional list of banned passwords will need the passwords used to be all lowercase for it to find a match.

It's available to install from Packagist using composer require garybell/password-validator, or you can get the source from the GitLab repository.