[][src]Crate password_rules_parser

Rust parser for the HTML passwordrules attribute, a proposal for an HTML attribute that allows services to specify their password requirements in a machine-readable format.

This spec is primarily being backed by Apple, and their tools and docs can be found here.

Password Rules

A password rule consists of the following:

  • max-consecutive - The maximum number of consecutive identical characters allowed in the password
  • minlength - The minimum length of the password
  • maxlength - The maximum length of the password
  • allowed - A set of character classes whose characters the password is allowed to be generated with
    • Note that allowed: digit, upper; is equivalent to allowed: digit; allowed: upper;
  • required - A set of character classes where at least one character from each required set must appear in the password
    • Note that required: digit, upper; is not equivalent to required: digit; required: upper;. The first (required: digit, upper;) means that the password must contain a digit or an upper(case) character, while the second (required: digit; required: upper;) means the password must contain a digit AND an upper(case) character.

Rules are separated by a semicolon (;), while character classes are separated by a comma (,).

An example of a password rule:

max-consecutive: 2; minlength: 10; maxlength: 15; allowed: upper; required: digit, special;

Character Classes

There are several different types of character classes:

  • Upper - All ASCII uppercase characters (ABCDEFGHIJKLMNOPQRSTUVWXZY)
  • Lower - All ASCII lowercase characters (abcdefghijklmnopqrstuvwxzy)
  • Digit - All ASCII digits (0123456789)
  • Special - ASCII special characters (-~!@#$%^&*_+=``|(){}[:;"'<>,.?])
  • AsciiPrintable - All ASCII printable characters
  • Unicode - All unicode characters
    • Note: In this implementation this class is equivalent to AsciiPrintable
  • Custom - Contains a set of custom ASCII printable characters in the format [-abc]] where -, a, b, c, and ] are the characters.
    • Note: - and ] are special characters in a character class where - must be the first character in the set and ] must be the last character.


This example can be run via cargo run --example parse.

use password_rules_parser::{parse_password_rules, CharacterClass};

let password_rules = "minlength: 8; maxlength: 32; required: lower, upper; required: digit; allowed: [-_./\\@$*&!#];";
let parsed_rules =
    parse_password_rules(password_rules, true).expect("failed to parse password rules");

assert_eq!(parsed_rules.min_length.unwrap(), 8);
assert_eq!(parsed_rules.max_length.unwrap(), 32);
// This password rule does not place a restriction on consecutive characters
        '!', '#', '$', '&', '*', '-', '.', '/', '@', '\\', '_',
        vec![CharacterClass::Upper, CharacterClass::Lower],

// The above information can be used to make informed decisions about what password
// to generate for use with a specific service

You can try parsing arbitrary rules with this tool via cargo run --example cli.



Errors that can be returned from the parsing process



The various parsed password rules



Character classes that the password can be allowed or required to use



Parse a password rules string and return its parts