Laravel - Validation - Validating Passwords

To ensure that passwords have an adequate level of complexity, you may use Laravel's Password rule object:

    
    use Illuminate\Support\Facades\Validator;
    use Illuminate\Validation\Rules\Password;
    
    $validator = Validator::make($request->all(), [
        'password' => ['required', 'confirmed', Password::min(8)],
    ]);
	

The Password rule object allows you to easily customize the password complexity requirements for your application, such as specifying that passwords require at least one letter, number, symbol, or characters with mixed casing:

    
    // Require at least 8 characters...
    Password::min(8)
    
    // Require at least one letter...
    Password::min(8)->letters()
    
    // Require at least one uppercase and one lowercase letter...
    Password::min(8)->mixedCase()
    
    // Require at least one number...
    Password::min(8)->numbers()
    
    // Require at least one symbol...
    Password::min(8)->symbols()
	

In addition, you may ensure that a password has not been compromised in a public password data breach leak using the uncompromised method:

    
    Password::min(8)->uncompromised()
	

Internally, the Password rule object uses the k-Anonymity model to determine if a password has been leaked via the haveibeenpwned.com service without sacrificing the user's privacy or security.

By default, if a password appears at least once in a data leak, it will be considered compromised. You can customize this threshold using the first argument of the uncompromised method:

    
    // Ensure the password appears less than 3 times in the same data leak...
    Password::min(8)->uncompromised(3);
	

Of course, you may chain all the methods in the examples above:

    
    Password::min(8)
        ->letters()
        ->mixedCase()
        ->numbers()
        ->symbols()
        ->uncompromised()