Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


A tool for checking and creating password policies in PHP and JS.


Use composer to setup an autoloader

php composer.phar install

Require the composer autoload file:

require_once 'vendor/autoload.php';


To use, first instantiate the core policy object:

$policy = new \PasswordPolicy\Policy;

Then, add rules:

$policy->contains('lowercase', $policy->atLeast(2));

Supported rule helper methods are:

  • contains($class, $constraint = null, $description = ''): Checks to see if a password contains a class of chars

    Supported Short-Cut classes:

    • letter - a-zA-Z
    • lowercase - a-z
    • uppercase - A-Z
    • digit - 0-9
    • symbol - ^a-zA-Z0-9 (in other words, non-alpha-numeric)
    • null - \0
    • alnum - a-zA-Z0-9

    The second param is a constraint (optional)

  • length($constraint): Checks the length of the password matches a constraint

  • endsWith($class, $description = ''): Checks to see if the password ends with a character class.

  • startsWith($class, $description = ''): Checks to see if the password starts with a character class.

  • notMatch($regex, $description): Checks if the password does not match a regex.

  • match($regex, $description): Checks if the password matches the regex.

Supported Constraints:

The policy also has short-cut helpers for creating constraints:

  • atLeast($n): At least the param matches

    Equivalent to between($n, PHP_INT_MAX)

  • atMost($n): At most the param matches

    Equivalent to between(0, $n)

  • between($min, $max): Between $min and $max number of matches

  • never(): No matches

    Equivalent to between(0, 0)

Testing the policy

Once you setup the policy, you can then test it in PHP using the test($password) method.

$result = $policy->test($password);

The result return is a stdclass object with two members, result and messages.

  • $result->result - A boolean if the password is valid.

  • $result->messages - An array of messages

Each message is an object of two members:

  • $message->result - A boolean indicating if the rule passed

  • $message->message - A textual description of the rule

Using JavaScript

Once you've built the policy, you can call toJavaScript() to generate a JS anonymous function for injecting into JS code.

$js = $policy->toJavaScript();
echo "var policy = $js;";

Then, the policy object in JS is basically a wrapper for $policy->test($password), and behaves the same (same return values).

var result = policy(password);
if (!result.result) {
    /* Process Messages To Display Failure To User */

One note for the JavaScript, any regular expressions that you write need to be deliminated by / and be valid JS regexes (no PREG specific functionality is allowed).


A password policy enforcer for PHP and JavaScript






No packages published