Password managers now suggest passwords that actually pass

Published on June 1, 2026 by Freek Van der Herten

You ask 1Password for a strong password, it fills one in, and then the signup form rejects it. Annoying, right? We just got rid of that little dance.

Every place where you set a new password in Oh Dear (signing up, resetting a forgotten password, changing your password in your profile) now tells your browser exactly what we expect. Safari, 1Password, and Bitwarden read that and generate a password that fits on the first try.

How it works #

There's an Apple specification for a passwordrules attribute on password fields. Password managers honor it. Laravel 13.9 added a way to generate that attribute straight from a validation rule, so we wired our existing rules into the markup:

public static function htmlAttribute(): string
{
    return self::passwordRule()->toPasswordRulesString();
}

The same passwordRule() builds both the server-side validation and the browser hint, so the two can never drift apart. The rendered field looks like this:

<input type="password" name="password" autocomplete="new-password" passwordrules="minlength: 12;">

The rule maps cleanly onto what password managers understand:

Our rule Becomes
Password::min(12) minlength: 12
mixedCase() required: lower; required: upper
numbers() required: digit
symbols() required: special

We bumped the minimum to 12 #

While we were in there, we raised the minimum password length from 8 to 12 characters. A longer minimum is one of the cheapest security wins around, and since the password your manager suggests now matches our rules exactly, you won't even notice the extra length. In production we also reject passwords that have shown up in known data breaches.

On top of the length, we lean on Laravel's uncompromised() rule in production. It checks your password against the Have I Been Pwned database of breached passwords, so a password that's leaked somewhere else won't get past us, no matter how long it is. The check uses k-anonymity, which means your actual password never leaves our servers.

The rules stack up like this:

Rule What it does
min(12) Blocks short passwords
uncompromised() Rejects passwords found in known breaches

There's nothing for you to do. Next time you sign up or reset your password, let your password manager do its thing. The suggestion it gives you will sail through.

Start using Oh Dear today!

  • Access to all features
  • Cancel anytime
  • No credit card required
  • First 10 days free

More updates

May 22, 2026
Application Health and Scheduled tasks are now a breeze to set up

Set up Application Health and Scheduled task monitoring with a copy-paste AI prompt that builds the integration for you, in any language or framework.

Read more
May 18, 2026
Uptime check
Cache-busting magic variables for uptime checks

Oh Dear introduces magic variables to enhance uptime checks by ensuring each request is unique, helping you bypass caches and accurately monitor your origin server. This opt-in feature allows you to decide how and where to use these variables for greater control.

Read more
May 14, 2026
Status pages
Improvements to our status pages as we tackle a DDoS

We've faced a significant DDoS attack affecting our status pages, prompting swift improvements like offloading TLS to Cloudflare and implementing Varnish for better traffic management. Our commitment to uptime remains strong as we tackle these challenges head-on.

Read more
All updates

Want to get started? We offer a no-strings-attached 10 day trial. No credit card required.

Start monitoring

You're all set in
less than a minute!