zxcvbn-php
zxcvbn-php copied to clipboard
bjeavons
Correct usage in WordPress
WordPress uses Dropbox's Zxcvbn Javascript lib for its strength meter. I'm forcing password strength related to that meter and need a server side version of the same lib so here I am. To get the Zxcvbn strength of a password in a WordPress plugin I am doing the following. It seems like there should be a better way but I'm unable to install the document in the way explained in the documentation
<?php
require 'src/ScorerInterface.php';
require 'src/Scorer.php';
require 'src/Searcher.php';
require 'src/Matcher.php';
require 'src/Zxcvbn.php';
require 'src/Matchers/MatchInterface.php';
`require 'src/Matchers/Match.php';
require 'src/Matchers/DigitMatch.php';
require 'src/Matchers/DictionaryMatch.php';
require 'src/Matchers/SequenceMatch.php';
require 'src/Matchers/Bruteforce.php';
require 'src/Matchers/YearMatch.php';
require 'src/Matchers/SpatialMatch.php';
require 'src/Matchers/RepeatMatch.php';
require 'src/Matchers/L33tMatch.php';
require 'src/Matchers/DateMatch.php';
$new = new \ZxcvbnPhp\Zxcvbn();
print_r($new->passwordStrength('T#\$£9'));
@KainiIndustries be careful here -- the JS will let through all kinds of passwords the PHP version will reject, your users will be pretty frustrated when the strength meter is green and the backend rejects the password as too weak. As for the "infinite" require statements (welcome to WordPress development. ;) ): We get around this by using Composer and it's autoload.php. Code from our plugin.php file:
<?php
/*
* Plugin Name: Plugin
* ...
*/
include_once 'vendor/autoload.php';
class My_Plugin {
...
}
@Moring I would expect all the different implementations of Zxcvbn to behave similar. Do you know for sure that it is very different from the JS implementation?
Yes, learned the hard way. The JS version was rating passwords as 4, like "DrSmithDentist2016" for a dental client name Dr. Smith. The PHP version did not. We had both running on the same page, and the JS frontend would validate, and the PHP backend would not. Clients were not very happy at all...
https://github.com/bjeavons/zxcvbn-php/issues/15 is the best issue to track getting to consistent scores between front-end and back-end implementations of a Zxcvbn-style of password strength estimation.
If this issue is about how to use zxcvbn-php within Wordpress will the OP confirm if so and if it's still a problem?
#15 has now been merged, so the PHP library matches the JS library in terms of scoring.
Are you still having any issues getting this working in Wordpress?
