derhansen/add_pwd_policy

Additional Password Policy validators - Additional password validators for usage in TYPO3 password policies

Maintainers

👁 derhansen

Package info

github.com/derhansen/add_pwd_policy

Documentation

Type:typo3-cms-extension

pkg:composer/derhansen/add_pwd_policy

Statistics

Installs: 4 069

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

2.0.1 2026-04-25 16:14 UTC

Requires (Dev)

None

Suggests

None

Provides

None

Conflicts

None

Replaces

None

GPL-2.0-or-later 1219998760b153524b4a923d3ef57ed2d68b94d9

securityTYPO3 CMSpassword policypassword validators

This package is auto-updated.

Last update: 2026-06-25 16:41:47 UTC

README

👁 Latest Stable Version
👁 Monthly Downloads
👁 Code Quality Checks
👁 Project Status: Active – The project has reached a stable, usable state and is being actively developed.

Additional Password Policy validators for TYPO3 CMS

This extension for TYPO3 CMS contains additional Password Policy validators for usage in TYPO3 12+ projects. It also adds an event listener for the EnrichPasswordValidationContextDataEvent PSR-14 event, so the context data used for password validation is extended with the users email-address.

Included validators

Pwned Password

Description:

This validator ensures that the given password is not part of a known data breach on haveibeenpwned.com

Options:

  • none

Usage example

$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default']['validators'][\Derhansen\AddPwdPolicy\PasswordPolicy\Validator\PwnedPasswordValidator::class] = [
 'options' => [],
 'excludeActions' => [],
];

Does not contain username

Description:

This validator ensures, that the given password does not contain the users username.

Options:

  • none

Usage example

$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default']['validators'][\Derhansen\AddPwdPolicy\PasswordPolicy\Validator\NotUsernameValidator::class] = [
 'options' => [],
 'excludeActions' => [],
];

Password deny list

This validator ensures, that the given password is not part of a configurable list of denied passwords.

The password file must contain one password for each line.

Options:

  • passwordDenylistFilepath Relative path to password file. EXT: notation is allowed.

Usage example

$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies']['default']['validators'][\Derhansen\AddPwdPolicy\PasswordPolicy\Validator\PasswordDenylistValidator::class] = [
 'options' => [
 'passwordDenylistFilepath' => 'EXT:add_pwd_policy/Resources/Private/Text/password_denylist.txt',
 ],
 'excludeActions' => [],
];

PRs welcome

If you have created a custom password validator, feel free to provide it as pull request to this repository.

Reporting a Vulnerability

Please report vulnerabilities to security@typo3.org.

Credits

Password file

The included file with the top 100.000 popular passwords has been downloaded from https://github.com/danielmiessler/SecLists