Security Tip: Default Password Rules
[Tip#11] Why duplicate password validation rules when you can define defaults?
Greetings everyone! We’ve made it to the end of 2021, which has been a massive year for probably everyone, and for me personally it has been both incredibly rewarding and overwhelmingly difficult. I hope you and your families have had a great Christmas (if you celebrate it), and the holiday/new year period gives you some time to relax and unwind a bit. Thank you all so much for your support of Laravel Security in Depth this year, and I am very excited to see where it goes in 2022! ❤️
For the last security tip of the year, I had planned to write about rehashing passwords in Laravel, but I ended up going down a massive rabbit hole. So I bumped rehashing passwords into the next In Depth, and decided to talk about pwned passwords instead, and then proceeded to go down another rabbit hole… So for attempt number three, following the password theme, we’re going to look at Default Password Rules! It’s a feature I am constantly forgetting about, and even know I’m sure I’ve read about it in the docs before, I’m always surprised and excited to find it and wonder if it’s new. 🤣
Default Password Rules
Password Rules are one of those things that gets defined on a project or company level and then reused across an app. You’ll probably find yourself copy-pasting the rules from one validator to another when building registration, password change, etc, and then if the rules ever change1, you’ll have to bounce between all of the validators to update the rules. It doesn’t sound that hard, but it still takes effort, and if your app has multiple logins or registration forms, you’ll need to update and all of them. Luckily for us, Laravel makes this easy!2
Keep reading with a 7-day free trial
Subscribe to Laravel Security In Depth to keep reading this post and get 7 days of free access to the full post archives.