A new Password rule object is now available in Laravel v8.39. This rule has a fluent API for common password requirements and also compromised passwords.
The new Password
rule replaces string-based validation rules, that were originally released in Laravel 5.5.
String based password validation rule
// String-based
$request->validate([
'password' => 'required|string|confirmed|min:12',
]);
Password rule object based validation
$request->validate([
'password' => ['required', 'confirmed', Password::min(12)],
]);
This new rule allows us to easily customize the password complexity requirements.
In addition to replacing string-based rules, the custom password validation has built-in methods for ensuring strong passwords.
Best feature of the new rule object
Say goodbye to copy-pasting those complex regex patterns for string validations. You now won’t need to write custom regex logic for typical scenarios such as requiring mixed-case, letters, symbols, etc.
$request->validate([
'password' => [
'required',
'confirmed',
Password::min(12)
->mixedCase()
->numbers()
->symbols()
->letters()
->uncompromised(),
],
]);
The code snippet on top also has the uncompromised()
method which checks the password against a verification API to see if the password appears in data leaks.
The new default password support
The Password rule object also supports the ability to define default password rules. You can use these across your application, in Laravel 8.43 upgrade.
Defining default password rules allows you to centralize the expected validation behavior for a password by defining them in a service provider (i.e., AppServiceProvider
).
use Illuminate\Validation\Rules\Password;
$request->validate([
'password' => ['required', Password::defaults()],
]);
Defaults can be stored, and we can retrieve them later on in a validator using the Password::defaults()
method as shown above.
The Password validation rule object enables convenient password conventions. These are designed to enforce strong passwords, including checking if the password was compromised in known data leaks.