Contributed by Florent Morselli
in #49789.

Passwords are an essential feature of many web applications. Symfony provides
many tools to hash, migrate and handle passwords according to the most
secure recommended practices. In 2019 we even introduced a constraint to
check that a given password is not compromised because of a security leak.
In Symfony 6.3 we're introducing a new constraint to validate the strength of
the given passwords. Technically, it works like many other similar public libraries,
checking if the entropy of the given password reaches a certain threshold.
By default, the password is required to have a medium strength, but there are
four levels to configure:

// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
// ...

#[Assert\PasswordStrength]
protected $rawPassword;

#[Assert\PasswordStrength(minScore: PasswordStrength::STRENGTH_VERY_STRONG)]
protected $rawAdminPassword;
}

That's all. Using this constraint in your applications is simple for you,
but can be helpful for your users and customers. Consider adding it whenever
you use passwords and read the PasswordStrength constraint docs to learn
more about it.

Sponsor the Symfony project.