PHPackages                             org\_heigl/password - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. org\_heigl/password

ActiveLibrary[Security](/categories/security)

org\_heigl/password
===================

An Object for passwords - Stop leaking passwords to logs or stacktraces!

1.0.0(7y ago)8122[1 PRs](https://github.com/heiglandreas/password/pulls)1MITPHPPHP ^7.2

Since Mar 22Pushed 5y ago2 watchersCompare

[ Source](https://github.com/heiglandreas/password)[ Packagist](https://packagist.org/packages/org_heigl/password)[ RSS](/packages/org-heigl-password/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (1)Dependencies (2)Versions (3)Used By (1)

org\_heigl/password
===================

[](#org_heiglpassword)

An Object for passwords - Stop leaking passwords to logs or stacktraces!

[![Password-Workflow](https://github.com/heiglandreas/password/workflows/Password-Workflow/badge.svg)](https://github.com/heiglandreas/password/actions)[![Build Status](https://camo.githubusercontent.com/a60069aa9c39cc8a963b24aaad2bcdb02714252f4962388fb0ab2ad8b5349916/68747470733a2f2f7472617669732d63692e6f72672f686569676c616e64726561732f70617373776f72642e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/heiglandreas/password)[![Coverage Status](https://camo.githubusercontent.com/c7f04b771eedde57244d877ec0a1b00d5a600cbec040626797daf8c46c3efe9a/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f686569676c616e64726561732f70617373776f72642f62616467652e737667)](https://coveralls.io/github/heiglandreas/password)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/dbd1b3e6c118609a61e324b8ff782bb6091beb2d6fbee1e890ad84db607abaf3/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f686569676c616e64726561732f70617373776f72642f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/heiglandreas/password/?branch=master)

[![License](https://camo.githubusercontent.com/864ffd5b3e16c0f8c58a82a0b051f0d2440baba7e3b2bf16692efa426d63c6fb/68747470733a2f2f706f7365722e707567782e6f72672f6f72675f686569676c2f70617373776f72642f6c6963656e7365)](https://packagist.org/packages/org_heigl/password)[![Latest Stable Version](https://camo.githubusercontent.com/b7947610d623296ccce735f2d26d8b8bf420375eaed28279894907deb5a13b29/68747470733a2f2f706f7365722e707567782e6f72672f6f72675f686569676c2f70617373776f72642f762f737461626c65)](https://packagist.org/packages/org_heigl/password)[![Total Downloads](https://camo.githubusercontent.com/538d76cacbed63d52f7e276b114a13aa7514afedc10c15e483a68f685eea0dcd/68747470733a2f2f706f7365722e707567782e6f72672f6f72675f686569676c2f70617373776f72642f646f776e6c6f616473)](https://packagist.org/packages/org_heigl/password)

Scope
-----

[](#scope)

This package contains an Object that can be used and passed just like you would use a plaintext-password. The only difference is that the plaintext-password will not be accidentaly leaked into log-files or stacktraces or `var_dump`-output.

The scope is **not** to provide a Cryptographically Secure Password or a ValueObject that you can just pass to your Persistence-Layer for storage. On the contrary. **You shall never store this Object**

This is only a thin wrapper around your password-string that tries to guard you from accidentally leaking the password string where you don't want to see it.

The object stores the password encrypted using `sodium_crypto_secretbox`. So should one find a way to expose the private property to the public there will only be an encrypted binary code. The nonce and the key to encrypt and decrypt are stored in constants and will be replaced on every request. So when you create two Password-objects within one request they will both use the same nonce and key. As those value are stored as constants they will not leak by accident. You will have to actively address them. Preventing **that**is outside the scope of this package!

As the goal of this Object is not to store the password in a secure way (you will use a hashing algorithm for that, won't you?) but to prohibit it from accidentally leaking in cleartext that is a compromise I'm willing to take.

Why?
----

[](#why)

The discussions that spun up around twitter leaking passwords to logfiles left me thinking.

It can actually happen quite easily to have passwords come up into log-files when you put stack-traces into logs. And that brought me to thinking how to avoid that accidentally. The answer to me is a vaule-object with a bit of logic that handles the password but won't accidentaly leak it.

Just today (21st of March 2019) another leakage of cleartext passwords was announced. This time multiple 100 million accounts at facebook where leaked over multiple years. Read more on [Krebs on Security](https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/) or directly at [Facebook](https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/)

Installation
------------

[](#installation)

This is best installed using composer like this:

```
composer require org_heigl/password
```

Usage
-----

[](#usage)

Instead of passing the password as a string create a Password-Object and pass that.

```
$password = Password::createFromPlainText($request->getParam('password'));
// Do not forget to remove the password from your request-object!!
$request->setParam('password', '*****');
```

You can additionally directly use PHPs password-hashing API:

```
$password->matchesHash($hashFromPhpPasswordHashingApi);
```

Additionally you can get a new hash for the password like this:

```
$hash = $password->getNewHash();
```

And to wrap up the API of PHPs password-hashing API there's also a method to check whether the password should be rehashed

```
$password->shouldBeRehashed();
```

And to be able to store the password securely in a database you can retrieve the password hashed using

```
$password->hash($algorithm, $options);
```

where `$argument` and `$options` are the corresponding arguments to [password\_hash](https://php.net/password_hash)

If you **really** need to get the plaintext password the password-object was initialized with (f.e. for use with `ldap_bind`) you can do that as well:

```
$plaintextPassword = $password->getPlainTextPasswordAndYesIKnowWhatIAmDoingHere();
```

###  Health Score

28

—

LowBetter than 54% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity13

Limited adoption so far

Community15

Small or concentrated contributor base

Maturity56

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 89.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

2611d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/5ae5183aaad2bc7453230704bd6991dc6ccbcd6e775c6a29efdc94350a69f247?d=identicon)[heiglandreas](/maintainers/heiglandreas)

---

Top Contributors

[![heiglandreas](https://avatars.githubusercontent.com/u/91998?v=4)](https://github.com/heiglandreas "heiglandreas (25 commits)")[![aboks](https://avatars.githubusercontent.com/u/815524?v=4)](https://github.com/aboks "aboks (2 commits)")[![shochdoerfer](https://avatars.githubusercontent.com/u/596449?v=4)](https://github.com/shochdoerfer "shochdoerfer (1 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/org-heigl-password/health.svg)

```
[![Health](https://phpackages.com/badges/org-heigl-password/health.svg)](https://phpackages.com/packages/org-heigl-password)
```

###  Alternatives

[defuse/php-encryption

Secure PHP Encryption Library

3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories

Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs

A PHP library for XML Security

41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php

Realistic password strength estimation PHP library based on Zxcvbn JS

86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker

A PHP dependency vulnerabilities scanner based on the Security Advisories Database.

33732.2M110](/packages/enlightn-security-checker)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)