Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
By Sarah Gooding - Jul 16, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
password-validator
Advanced tools
password-validator
Validates password according to flexible and intuitive specifications
Install
npm install password-validator
Usage
var passwordValidator = require('password-validator');
// Create a schema
var schema = new passwordValidator();
// Add properties to it
schema
.is().min(8) // Minimum length 8
.is().max(100) // Maximum length 100
.has().uppercase() // Must have uppercase letters
.has().lowercase() // Must have lowercase letters
.has().digits(2) // Must have at least 2 digits
.has().not().spaces() // Should not have spaces
.is().not().oneOf(['Passw0rd', 'Password123']); // Blacklist these values
// Validate against a password string
console.log(schema.validate('validPASS123'));
// => true
console.log(schema.validate('invalidPASS'));
// => false
// Get a full list of rules which failed
console.log(schema.validate('joke', { list: true }));
// => [ 'min', 'uppercase', 'digits' ]
Advanced usage
Details about failed validations
Sometimes just knowing that the password validation failed or what failed is not enough and it is important too get more context. In those cases, details option can be used to get more details about what failed.
console.log(schema.validate('joke', { details: true }));
The above code will output:
[
{
validation: 'min',
arguments: 8,
message: 'The string should have a minimum length of 8 characters'
},
{
validation: 'uppercase',
message: 'The string should have a minimum of 1 uppercase letter'
},
{
validation: 'digits',
arguments: 2,
message: 'The string should have a minimum of 2 digits'
}
]
Custom validation messages
The validation messages can be overriden by providing a description of the validation. For example:
schema.not().uppercase(8, 'maximum 8 chars in CAPS please')
The above validation, on failure, should return the following object:
{
validation: 'min',
arguments: 8,
inverted: true,
message: 'maximum 8 chars in CAPS please'
},
Plugins
Plugin functions can be added to the password validator schema for custom password validation going beyond the rules provided here. For example:
var validator = require('validator');
var passwordValidator = require('password-validator');
var schema = new passwordValidator()
.min(3, 'Password too small')
.usingPlugin(validator.isEmail, 'Password should be an email');
schema.validate('not-an-email', { details: true })
// [{ validation: 'usingPlugin', arguments: [Function: isEmail], message: 'Password should be an email' }]
Rules
Rules supported as of now are:
| Rules | Descriptions |
|---|---|
| digits([count], [description]) | specifies password must include digits (optionally provide count paramenter to specify at least n digits) |
| letters([count], [description]) | specifies password must include letters (optionally provide count paramenter to specify at least n letters) |
| lowercase([count], [description]) | specifies password must include lowercase letters (optionally provide count paramenter to specify at least n lowercase letters) |
| uppercase([count], [description]) | specifies password must include uppercase letters (optionally provide count paramenter to specify at least n uppercase letters) |
| symbols([count], [description]) | specifies password must include symbols (optionally provide count paramenter to specify at least n symbols) |
| spaces([count], [description]) | specifies password must include spaces (optionally provide count paramenter to specify at least n spaces) |
| min(len, [description]) | specifies minimum length |
| max(len, [description]) | specifies maximum length |
| oneOf(list) | specifies the whitelisted values |
| not([regex], [description]) | inverts the result of validations applied next |
| is() | inverts the effect of not() |
| has([regex], [description]) | inverts the effect of not() and applies a regex (optional) |
| usingPlugin(fn, [description]) | Executes custom function and include its result in password validation |
Options
The following options can be passed to validate method:
list- If set, validate method returns a list of rules which failed instead of true/false.
Resources
For APIs of other older versions, head to Wiki.
License
FAQs
Validates password according to flexible and intuitive specifications
The npm package password-validator receives a total of 52,921 weekly downloads. As such, password-validator popularity was classified as popular.
We found that password-validator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 15 May 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
By Olivia Brown - Jul 15, 2025
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
By Kirill Boychenko - Jul 14, 2025