Password field - PocketBase

The password field stores bcrypt-hashed passwords and is primarily used for the system password field in auth collections. It automatically hashes plain text passwords and provides validation methods.

Configuration options

pattern

string

Optional regex pattern to match against the plain password value. Leave empty to skip pattern validation.

min

int

default:"0"

Minimum required password length (in characters). Set to 0 for no minimum.

max

int

default:"71"

Maximum allowed password length (in characters). Defaults to 71 (bcrypt limit) if zero or not set.

cost

int

default:"bcrypt.DefaultCost"

Bcrypt cost factor (4-31). Higher values increase security but take longer to hash. Defaults to bcrypt.DefaultCost (10) if zero.

required

bool

default:"false"

When true, requires the field value to be a non-empty string.

How it works

The password field has special behavior:

Setting values: When you set a plain text password using record.Set(), it’s automatically hashed
Getting values: record.Get() returns the plain password only before the record is saved, then returns empty string
Hash access: Use record.GetString("password:hash") to access the bcrypt hash
Direct hash: Use record.SetRaw() to set a pre-hashed bcrypt string directly

Bcrypt has a maximum password length of 72 bytes. The field enforces a 71 character limit by default to account for encoding.

Special getter

The password field provides a special getter to access the hash:

// Get the bcrypt hash
hash := record.GetString("password:hash")

Validation rules

The password field validates:

Length: Plain password must be between min and max characters
Pattern: If specified, plain password must match the regex pattern
Hash errors: Bcrypt hashing errors are captured and returned during validation
Required: If enabled, hash must be non-empty

Go examples

Basic usage
With pattern validation
Custom bcrypt cost
Setting pre-hashed password

import "github.com/pocketbase/pocketbase/core"

field := &core.PasswordField{
    Name:     "password",
    Required: true,
    Min:      8,
}

collection.Fields.Add(field)

// Set plain password (will be hashed automatically)
record.Set("password", "mySecurePassword123")

// Before save: returns "mySecurePassword123"
plainPassword := record.GetString("password")

// After save: returns empty string
plainPassword = record.GetString("password") // ""

// Get hash anytime
hash := record.GetString("password:hash")

field := &core.PasswordField{
    Name:     "password",
    Required: true,
    Min:      8,
    Max:      64,
    Pattern:  "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$", // At least one lowercase, uppercase, and digit
}

collection.Fields.Add(field)

// This will validate successfully
record.Set("password", "SecurePass123")

// This will fail validation (no uppercase)
record.Set("password", "weakpass123")

import "golang.org/x/crypto/bcrypt"

field := &core.PasswordField{
    Name:     "password",
    Required: true,
    Min:      10,
    Cost:     12, // Higher cost = more secure but slower
}

collection.Fields.Add(field)

record.Set("password", "myPassword123")

import "golang.org/x/crypto/bcrypt"

field := &core.PasswordField{
    Name:     "password",
    Required: true,
}

collection.Fields.Add(field)

// Generate hash manually
hash, err := bcrypt.GenerateFromPassword(
    []byte("myPassword123"),
    bcrypt.DefaultCost,
)
if err != nil {
    // handle error
}

// Set hash directly (bypasses hashing)
record.SetRaw("password", string(hash))

// Getting password returns empty string
pwd := record.GetString("password") // ""

// Get hash
hash = record.GetString("password:hash")

Password validation

The password field value can be validated against a plain text password:

// Get the password field value
passwordValue := record.GetRaw("password").(*core.PasswordFieldValue)

// Validate against plain text
isValid := passwordValue.Validate("userEnteredPassword")

if isValid {
    // Password matches
} else {
    // Password doesn't match
}

Database column type

TEXT DEFAULT '' NOT NULL

Common password patterns

Pattern: "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).{8,}$"
// At least 8 chars, one lowercase, one uppercase, one digit

Bcrypt cost levels

Bcrypt cost determines how many iterations are used. Higher cost = exponentially more time:

Cost 4: ~2ms (testing only)
Cost 10: ~50ms (default, good balance)
Cost 12: ~200ms (high security)
Cost 14: ~800ms (very high security)
Cost 15+: Use with caution (can take several seconds)

Security best practices

Never store or log plain text passwords
Use a minimum length of at least 8 characters (12+ recommended)
Consider requiring complexity through pattern validation
Use default bcrypt cost (10) unless you have specific security requirements
The plain password is automatically cleared after save
Bcrypt automatically includes a salt, no need to add one separately
Hashed passwords are approximately 60 characters long

Auth collection integration

This field is automatically used in auth collections:

// Auth collections have a built-in password field
// You typically don't need to add it manually

collection := &core.Collection{
    Name: "users",
    Type: core.CollectionTypeAuth,
}

// The password field is automatically configured

Zero value

The zero value for password fields is an empty string "".

​Configuration options

​How it works

​Special getter

​Validation rules

​Go examples

​Password validation

​Database column type

​Common password patterns

​Bcrypt cost levels

​Security best practices

​Auth collection integration

​Zero value

Configuration options

How it works

Special getter

Validation rules

Go examples

Password validation

Database column type

Common password patterns

Bcrypt cost levels

Security best practices

Auth collection integration

Zero value