Secure Your Java Applications with Passay: The Essential Password Utility Library

Photo of Luqman Saeed by Luqman Saeed

In the digital age, where data breaches are common and privacy is paramount, ensuring users use strong passwords is the first step to securing applications from never-ending threats. Passay, a Java password generation and policy management library helps enhance the security layer of any Java application. Let's dive into the core components of Passay in this blog post to see how you can employ it in your own applications. 

Core Components of Passay

Passay's functionality revolves around three key components:

  1. Rule: The foundation of Passay, rules define the criteria for password policies.
  2. PasswordValidator: This component validates passwords against a predefined rule set.
  3. PasswordGenerator: For generating passwords that adhere to specified rules.


Rule Overview

Rules in Passay are categorized into positive and negative matches. Positive match rules ensure passwords meet certain criteria, while negative match rules reject passwords that meet specific conditions.

 Positive Matching Rules

Positive match rules require a given password satisfy the given rule or rule set. Some of the out of the box rules include:


  • AllowedCharacterRule: Requires passwords to contain a specified set of characters.
  • CharacterCharacteristicsRule: Demands a password to have a certain number of character types (like digits or symbols).
  • LengthRule: Sets a minimum and maximum length for passwords.

Negative Matching Rules

Negative match rules, opposites of positive match rules, reject a given password that matches the rule or rule set. They include:

  • DictionaryRule: Rejects passwords matching dictionary entries.
  • IllegalSequenceRule: Prevents passwords with easily guessable sequences like "12345."
  • UsernameRule: Disallows the use of the username in the password.

Password Validation

Validating passwords in Passay involves creating a PasswordValidator object with a list of Rule objects. These rule objects determine the requirements that passwords must satisfy in order to be accepted or rejected. A password policy with the following requirements

  • Length of 8 to 16 characters.
  • At least one upper case, lower case, digit, and symbol.
  • No whitespace characters.

Can be abstracted into a Passay PasswordValidator object as follows:

PasswordValidator validator = new PasswordValidator(

  new LengthRule(8, 16),
  new CharacterRule(EnglishCharacterData.UpperCase, 1),
  new CharacterRule(EnglishCharacterData.LowerCase, 1),
  new CharacterRule(EnglishCharacterData.Digit, 1),
  new CharacterRule(EnglishCharacterData.Special, 1),

   new WhitespaceRule()



For a given password in held in the String variable passedPassword, the PasswordValidator object validator can be used to validate it as follows:

RuleResult result = validator.validate(new PasswordData(new String(passedPassword)));


The RuleResult object has the isValid() method for determining if the password is valid according to the set rules, or the getMessage() method that returns a collection of messages for all rule set violations. 

Advanced Validation: Customizing Messages

Passay features the MessageResolver interface, which enables the transformation of password validation outcomes into user-friendly, meaningful text. This interface typically employs a message bundle to establish default messages for password validation. The following shows the default validation messages for some of the rules in the above example.

INSUFFICIENT_UPPERCASE=Password must contain %1$s or more uppercase characters.
INSUFFICIENT_LOWERCASE=Password must contain %1$s or more lowercase characters.

TOO_LONG=Password must be no more than %2$s characters in length.
TOO_SHORT=Password must be %1$s or more characters in length.

ILLEGAL_WHITESPACE=Password %2$s a whitespace character.


You can override the default message bundle by supplying your own message bundle in a file that you pass to the constructor of the PasswordValidator. 

Advanced Validation: M of N Rules

The CharacterCharacteristicsRule can be used for more intricate password policies. This rule allows for the specification of a password that must include a certain number of character types from a given set. For instance, a common application of this rule is to require a password to contain characters from three out of four categories - uppercase letters, lowercase letters, digits, and symbols. This approach not only increases the complexity of the password but also ensures a balanced use of different character types.

Advanced Validation: Dictionary Rules

The DictionaryRule within Passay provides a means to check proposed passwords against a list of known weak or compromised passwords. This rule can be configured with a comprehensive list of undesirable passwords. These might include passwords that have been exposed in data breaches, common phrases, or simple patterns. When a user attempts to set or change their password, the DictionaryRule ensures that their chosen password does not match any in this predefined list.

Password History

The HistoryRule and DigestHistoryRule in Passay serve this purpose by enabling the comparison of newly created passwords with a user’s historical passwords. The HistoryRule allows for a straightforward comparison, checking new passwords against a list of previous passwords stored in plain text. Needless to say, this should be used for the most trivial of "Hello, World" apps. The DigestHistoryRule offers a more secure approach, comparing new passwords against previously hashed passwords. 

Password Generation

Passay's PasswordGenerator API is an efficient tool for creating secure, policy-compliant passwords. It utilizes the CharacterRule to define specific character classes that must be included in the generated passwords. This functionality aligns password creation with distinct security requirements of various systems.

Example of Password Generation

Let’s consider a scenario where you need to generate a password that adheres to the following criteria:

Length Variability: The password should be between 8 to 16 characters long.
Character Diversity: It must include at least one uppercase letter, one lowercase letter, and one digit.
Whitespace Exclusion: The password should not contain any whitespace characters.

To accomplish this, you would set up a list of CharacterRule, each specifying a required character type. The PasswordGenerator then uses these rules to create a new password as follows:

List<CharacterRule> rules = Arrays.asList(
    new CharacterRule(EnglishCharacterData.UpperCase, 1), 
    new CharacterRule(EnglishCharacterData.LowerCase, 1),
    new CharacterRule(EnglishCharacterData.Digit, 1)    
  //Whitespace exclusion is implicit as it's not included in the character sets

PasswordGenerator generator = new PasswordGenerator();
String password = generator.generatePassword(12, rules);


The PasswordGenerator creates a 12-character password that meets the specified criteria. The flexibility of this API allows you to adjust the length and complexity of the password as needed, ensuring both security and compliance with various password policies.


Passay offers a comprehensive toolkit for password management, ensuring that your applications can enforce strong, secure passwords effectively. By leveraging its extensive rule sets, customizable validation messages, and powerful password generation capabilities, you can significantly enhance the security your Java applications in the fight against cyber threats. Happy Coding!

Related Posts