Symfony version(s) affected

7.0.*

Description

I am encountering an issue with the PasswordStrength constraint in Symfony. While using thePasswordStrength::STRENGTH_WEAK level for password validation, even strong passwords are being flagged as "very weak" and preventing form submission.

TestCase

• Password:#Q_81($r7 (This is just an example of the password used)
• Password Constraint Configuration

newPasswordStrength(['minScore' => PasswordStrength::STRENGTH_WEAK])

How to reproduce

Create a registration form with email and password ensuring that password constraints is set to haveminScore asPasswordStrength::STRENGTH_WEAK then submit the form with a stronger password.

The password to submit should contains uppercase, lowercase, specialchars and numbers but should not be more than 9 characters in length.

Possible Solution

The problem boils down to thePasswordStrengthValidator::estimateStrength() method on this code section:

$pool =$lower +$upper +$digit +$symbol +$control +$other;$entropy =$chars *log($pool,2) + ($length -$chars) *log($chars,2);returnmatch (true) {$entropy >=120 => PasswordStrength::STRENGTH_VERY_STRONG,$entropy >=100 => PasswordStrength::STRENGTH_STRONG,$entropy >=80 => PasswordStrength::STRENGTH_MEDIUM,$entropy >=60 => PasswordStrength::STRENGTH_WEAK,default => PasswordStrength::STRENGTH_VERY_WEAK,};

1. Improve the logic for the$entropy
2. round off the $entropy value into integer. (Most times it evaluates to decimals lower than 50 (E.G59.128700474979))

Additional Context

No response