Tiger_Policy_Password
@api
Tiger_Policy_Password — the configurable password policy.
Wraps the credential + history models to validate a candidate password. Called
by a change-password / signup flow BEFORE Tiger_Model_UserCredential::setPassword
(which is the data operation + history archive). Config-driven from
tiger.password.* — and because it reads the RESOLVED Zend_Config, the policy is
per-app AND per-org (an org can tighten it via a config row).
NIST-informed defaults (SP 800-63B):
- min_length is the primary strength lever.
- history (reuse-prevention) is the common compliance requirement.
- require_complexity: OFF by default — composition rules ('Password1!') are discouraged. Enable for orgs that must comply.
- max_age_days: OFF by default — forced periodic rotation is discouraged. Enable for orgs that must comply.
Methods
config()
config()
Effective policy (defaults <- tiger.password.* in the resolved, per-org config).
Returns array{min_length:int,history:int,require_complexity:int,max_age_days:int} — the effective policy
validate()
validate($plain, $userId = null)
Validate a candidate password. Returns violation keys (empty array = OK) so a service can surface them as response messages.
$plainstring$userIdstring|null— when given, enables reuse-prevention against the
Returns string[]
isValid()
isValid($plain, $userId = null)
Convenience boolean.
$plainstring— the candidate password$userIdstring|null— when given, enables reuse-prevention
Returns bool — true if the password passes the policy
isExpired()
isExpired($userId)
Has the user's password exceeded max_age_days? (Always false when expiry is off.)
$userIdstring— the user whose password age to check
Returns bool — true if the password has expired