Password Strength Validation

There are a few opinions on how or how not to validate passwords, and it’s a complicated subject. Most website owners are going to want to ensure that people aren’t using weak passwords, and many website users are going to think it’s a great annoyance to be forced to come up with a password that meets a website’s expectations.

So for instance, if you require at least one uppercase letter, one number, and at least 8 characters, you might end up with users creating passwords like “Password1” or “Password123”. Such passwords make us laugh, as we know they can be guessed quickly, and that doesn’t even take into account hackers that can brute force such a password in 0 seconds.

What Community Auth Provides

So, with what has already been said it would seem that I might be able to have an ultra-awesome solution for Community Auth, but I don’t really. Community Auth comes with a configurable password strength validation, but it’s only for the example usage.

If your production website ends up using the password strength validation that comes with Community Auth, you do get to configure:

Minimum Characters For Password

$config['min_chars_for_password'] = 8;

This setting enforces the minimum number of characters for a password.

Maximum Characters For Password

$config['max_chars_for_password'] = 0;

This setting enforces the maximum number of characters for a password, and the default setting is 0 for unlimited length. Please note, passwords longer than 72 characters are shortened to 72 characters. This is a limitation of CRYPT_BLOWFISH.

Digits Required For Password

$config['min_digits_for_password'] = 1;

The minimum amount of numeric characters for a valid password. Set to 0 to require none.

Lowercase Letters Required For Password

$config['min_lowercase_chars_for_password'] = 1;

The minimum amount of lowercase alpha characters for a valid password. Set to 0 to require none.

Uppercase Letters Required For Password

$config['min_uppercase_chars_for_password'] = 1;

The minimum amount of uppercase alpha characters for a valid password. Set to 0 to require none.

Non-Alphanumeric Characters Required For Password

$config['min_non_alphanumeric_chars_for_password'] = 0;

The minimum amount of non-alphanumeric characters for a valid password. Set to 0 to require none.

That’s it really, and not likely enough to keep your website users from making weak passwords. Keep in mind, even with non-alphanumerics, you can have people making passwords like “Password123!”. So, you probably should use something better for password strength evaluation/validation on your production websites.

A Better Solution

We’ve all seen how websites can evaluate a password’s strength on the fly, and this is pretty common because WordPress now has this kind of password strength evaluation built in. WordPress is very popular, so everyone has seen this.

It turns out that WordPress is using a password strength evaluation created by Dropbox, and it’s called zxcvbn. It would seem that zxcvbn is the best solution for evaluation of password strength, and you can use it with your CodeIgniter projects.

The beauty of zxcvbn is that it can recognize common passwords, words from the dictionary, common names and surnames, and a lot more. Definitely a lot more than you want to spend time figuring out. The good news is that it is fairly easy to implement.

PHP version: bjeavons/zxcvbn-php
JS for front end: zxcvbn.js

So Why No zxcvbn Distributed With Community Auth?

Well, that’s a good question, but the short answer is that it’s really not the responsibility of Community Auth. Community Auth’s focus is only authentication of users.


I recommend using zxcvbn or whatever meets your needs for password strength evaluation and validation. It’s not Community Auth’s job to do this job, and zxcvbn really does the job well.