Simple password validator using raw entropy values. Heavily inspired by Lane Wagner Lane Wagner repository go-password-validator.
go-password-validator is an awesome project written for Go Lang. But I wondered what about Javascript community?
Zxcvbn is a great tool with the same functionality, but it requires dataset of most commonly used passwords.
This project can be used to front a password strength meter, or simply validate password strength on the server. Benefits:
- No stupid rules (doesn't require uppercase, numbers, special characters, etc)
- Everything is based on entropy (raw cryptographic strength of the password)
- Doesn't load large sets of data into memory - very fast and lightweight
- Doesn't contact any API's or external systems
- Inspired by this XKCD
Outside of a Go module:
npm i password-validator-nodejspackage main
const passwordvalidator = require("password-validator-nodejs")
const estimatePasswordStrength = (password, minEntropy) {
entropy := passwordvalidator.passwordValidator("password", minEntropy)
// if the password has enough entropy, {"}
// otherwise, a formatted error message is provided explaining
// how to increase the strength of the password
// (safe to show to the client)
}It's up to you. That said, here is a graph that shows some common timings for different values, somewhere in the 50-70 range seems "reasonable".
Keep in mind that attackers likely aren't just brute-forcing passwords, if you want protection against common passwords or PWNed passwords you'll need to do additional work. This library is lightweight, doesn't load large datasets, and doesn't contact external services.
First, we determine the "base" number. The base is a sum of the different "character sets" found in the password.
We've arbitrarily chosen the following character sets:
- 26 lowercase letters
- 26 uppercase letters
- 10 digits
- 5 replacement characters -
!@$&* - 5 seperator characters -
_-., - 22 less common special characters -
"#%'()+/:;<=>?[\]^{|}~
Using at least one character from each set your base number will be 94: 26+26+10+5+5+22 = 94
Every unique character that doesn't match one of those sets will add 1 to the base.
If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10 = 36.
After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: base^length
A password using base 26 with 7 characters would require 26^7, or 8031810176 guesses.
Once we know the number of guesses it would take, we can calculate the actual entropy in bits using log2(guesses). That calculation is done in log space in practice to avoid numeric overflow.
We try to err on the side of reporting less entropy rather than more.
With repeated characters like aaaaaaaaaaaaa, or 111222, we modify the length of the sequence to count as no more than 2.
aaaahas length 2111222has length 4
Common sequences of length three or greater count as length 2.
12345has length 2765432has length 2abchas length 2qwertyhas length 2
The sequences are checked from back->front and front->back. Here are the sequences we've implemented so far, and they're case-insensitive:
0123456789qwertyuiopasdfghjklzxcvbnmabcdefghijklmnopqrstuvwxyz
There's another project that has a similar purpose, zxcvbn, and you may want to check it out as well. Our goal is not to be zxcvbn, because it's already good at what it does. password-validator-nodejs doesn't load any large datasets of real-world passwords, we write simple rules to calculate an entropy score. It's up to the user of this library to decide how to use that entropy score, and what scores constitute "secure enough" for their application.
Submit an issue (above in the issues tab)
- Write unit tests
- Make an async version if block event loop is an issue
None! And it will stay that way, except of course for the standard library.