Skip to content
Laravel validator using Dropbox's zxcvbn password strength estimator
PHP Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Laravel Zxcvbn validator

Build Status Code Coverage Software License

This package provides a validator which uses Dropbox's zxcvbn password strength estimator; it uses the PHP implementation from bjeavons.


This package can be installed through Composer.

composer require rebelinblue/laravel5-zxcvbn

In Laravel 5.5 the package will auto-register the service provider. In Laravel 5.4 you must register this service provider manually in config/app.php by adding REBELinBLUE\Zxcvbn\ZxcvbnServiceProvider::class to the providers array

There is also an optional facade for Zxcvbn; in Laravel 5.5 it will be auto-registered. In Laravel 5.4 you must register the facade manually by adding the following to the aliases array in config/app.php

    'Zxcvbn' => REBELinBLUE\Zxcvbn\ZxcvbnFacade::class,

Optionally, you can publish the translations for this package with, however it is only required if you wish to change them

php artisan vendor:publish --provider="REBELinBLUE\Zxcvbn\ZxcvbnServiceProvider"


If you have added the alias you can access Zxcvbn from anyone in your code using the façade


use Zxcvbn;

class MyCustomClass
    public function someMethod()
        $strength = Zxcvbn::passwordStrength('Pa$$w0rd');

However, you probably want to use it as a validator. The package add a single rule "zxcvbn"



$input = [ /* user input */ ];
$validator = Validator::make($input, [
    'password' => 'required|min:6|zxcvbn',

There are 2 optional parameters, the required score from 0 to 4 and a comma separate list of other fields to compare against, for example to ensure a strong password which doesn't contain the username or email you would use

'password' => 'required|min:6|zxcvbn:4,username,email',

The scores are rated as follows:

  • 0 - Too guessable: risky password. (guesses < 10^3)
  • 1 - Very guessable: protection from throttled online attacks. (guesses < 10^6)
  • 2 - Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
  • 3 - Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • 4 - Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
You can’t perform that action at this time.