Tiger_Policy_Password

@api

Tiger_Policy_Password — the configurable password policy.

Wraps the credential + history models to validate a candidate password. Called by a change-password / signup flow BEFORE Tiger_Model_UserCredential::setPassword (which is the data operation + history archive). Config-driven from tiger.password.* — and because it reads the RESOLVED Zend_Config, the policy is per-app AND per-org (an org can tighten it via a config row).

NIST-informed defaults (SP 800-63B):

  • min_length is the primary strength lever.
  • history (reuse-prevention) is the common compliance requirement.
  • require_complexity: OFF by default — composition rules ('Password1!') are discouraged. Enable for orgs that must comply.
  • max_age_days: OFF by default — forced periodic rotation is discouraged. Enable for orgs that must comply.

Methods

config()

config()

Effective policy (defaults <- tiger.password.* in the resolved, per-org config).

Returns array{min_length:int,history:int,require_complexity:int,max_age_days:int} — the effective policy

validate()

validate($plain, $userId = null)

Validate a candidate password. Returns violation keys (empty array = OK) so a service can surface them as response messages.

  • $plain string
  • $userId string|null — when given, enables reuse-prevention against the

Returns string[]

isValid()

isValid($plain, $userId = null)

Convenience boolean.

  • $plain string — the candidate password
  • $userId string|null — when given, enables reuse-prevention

Returns bool — true if the password passes the policy

isExpired()

isExpired($userId)

Has the user's password exceeded max_age_days? (Always false when expiry is off.)

  • $userId string — the user whose password age to check

Returns bool — true if the password has expired