May 11th, 2026
News

Laravel 13: Convert a Password Rule Instance to a passwordrules String

Laravel 13: Convert a Password Rule Instance to a passwordrules String
Sponsored by
Queuewatch Clearooms
Table of Contents

@imliam merged PR #60070 into laravel/framework on the 13.x branch, adding a toPasswordRulesString() method to the Password validation rule. The method serialises password constraints into an HTML passwordrules attribute string per Apple's password rules specification.

What the Method Returns

Call toPasswordRulesString() on any Password instance and get back a semicolon-delimited string ready to drop into a passwordrules HTML attribute.

1Password::min(12)->max(64)->mixedCase()->numbers()->symbols()->toPasswordRulesString();
2// 'minlength: 12; maxlength: 64; required: lower; required: upper; required: digit; required: special;'

Each fluent constraint on the Password rule maps to a corresponding token in the output. min() and max() produce minlength/maxlength, mixedCase() produces both required: lower and required: upper, numbers() produces required: digit, and symbols() produces required: special.

Using It on a Password Field

The natural place for this is a registration or password-change form. Pass the result directly into the passwordrules attribute alongside autocomplete="new-password".

1<input
2    type="password"
3    autocomplete="new-password"
4    passwordrules="{{ Password::defaults()->toPasswordRulesString() }}"
5/>

When a password manager like 1Password, or a browser's built-in credential manager, encounters this attribute it reads the policy and generates a password that will actually pass validation. Without it, the manager generates something generic and the user finds out at submission time that the app requires symbols, or a minimum of 12 characters.

Who Should Care

Any application that ships a registration flow, a password-change screen, or a password reset form benefits here. The attribute is a progressive enhancement: browsers that do not understand passwordrules ignore it entirely, so there is no downside to adding it. If the app already calls Password::defaults() to centralise its policy, one call to toPasswordRulesString() keeps the frontend in sync with the backend rule automatically.

If you enjoyed this article, please consider supporting our work for as low as $5 / month.

Sponsor
Marian Pop

Written by

Marian Pop

Writing and maintaining @LaravelMagazine. Host of "The Laravel Magazine Podcast". Pronouns: vi/vim.

[email protected] @marianvpop
@LaravelMagazine
Hire from the Laravel community

Hiring Laravel developers?

Reach an audience of vetted Laravel devs who read this site every week. From $79.

Post a Job from $79

Comments

Stay Updated

Subscribe to our newsletter

Get latest news, tutorials, community articles and podcast episodes delivered to your inbox.

Weekly articles
We send a new issue of the newsletter every week on Friday.
No spam
We'll never share your email address and you can opt out at any time.