Narcoleptic's Patch Mangler
    Have ideas to improve npm?Join in the discussion! »

    tai-password-strength
    TypeScript icon, indicating that this package has built-in type declarations

    1.1.2 • Public • Published

    Password Strength Tester

    Password Strength is a library that calculates the relative strength of a password. This is accomplished by using several techniques. Primarily this relies on letter trigraphs, which check each set of 3 characters in a given password. More information on the trigraph calculations is available. This also calculates the entropy bits based on Claude Shannon's technique on determining the number of bits required to represent a set of characters and multiplying it by the length of the password. There is also a check to see if a password is contained in a list of common passwords.

    There is a wonderful demo page where you can test out the technology yourself.

    npm version Build Status Dependencies Dev Dependencies

    Usage

    The Password Strength library is wrapped with fid-umd, and is usable in a variety of systems. When you use the .check() method for the password "abcd1234", the results may look like what you see below. Comments are added to explain the fields.

    {
        charsetSize: 36,  // Explained better below
        commonPassword: true,  // If true, don't use this password!
        nistEntropyBits: 18, // NIST 800-63, probably not a good measurement
        passwordLength: 8,  // Same as string.length
        shannonEntropyBits: 24,  // Claude Shannon's method
        strengthCode: 'WEAK',  // Our ranking of the password's strength
        trigraphEntropyBits: 39.71755017780513,  // Based on trigraphs
        charsets: {
            number: true,  // Contains 0-9
            lower: true,  // Contains a-z
            upper: false,  // Contains A-Z
            punctuation: false,  // Contains common sentence punctuation
            symbol: false,  // Contains mathematical symbols
            other: ''  // Unicode and uncaught characters
        }
    }
    

    The charset size is the sum of the lengths of the different charsets that the password uses. The higher this number, the harder it is to brute force attack. That's precisely why password policies often say "must contain one lowercase letter, one uppercase letter, one number and a symbol".

    The strength code is based on the trigraph entropy bits when they are available and will fall back to the Shannon entropy bits. It's one of five values: VERY_WEAK, WEAK, REASONABLE, STRONG, and VERY_STRONG. The NIST scores are based on NIST Special Publication 800-63, but this is considered to not provide an accurate measurement of entropy and is included for completeness and comparison to the other algorithms.

    Trigraph entropy bits is discussed more here.

    The charsets is mostly an object that has boolean values, except the other property. That one is a catch-all string of the letters that were not caught and tallied into another one of the charset lists. The list of characters in other is deduplicated.

    Browser

    Include lib/password-strength.js in your project.

    <script src="path/to/password-strength.js" />
    

    Next you will want to instantiate the modules and make some AJAX calls to fetch additional data and make the password strength tester more accurate and informative. This bit of code uses jQuery, but similar code can be written for any framework.

    $(function () {
        // Create the instance that can be used immediately for strength tests
        window.passwordStrength = new PasswordStrength();
    
        // Add additional files that improve the results
        $.getJSON("path/to/data/common-passwords.json", function (data) {
            window.passwordStrength.addCommonPasswords(data);
        });
        $.getJSON("path/to/data/trigraphs.json", function (data) {
            window.passwordStrength.addTrigraphMap(data);
        });
    });
    

    Later, to calculate the strength of a password you would use something like this:

    if (window.passwordStrength) {
        strength = window.passwordStrength.check("abcd1234");
    
        if (strength.strengthCode.indexOf('WEAK') >= 0) {
            alert("Your password is too weak.");
        }
    }
    

    Node.js

    First run npm install --save tai-password-strength and then your code would look a bit like this:

    var taiPasswordStrength = require("tai-password-strength")
    var strengthTester = new taiPasswordStrength.PasswordStrength();
    var results = strengthTester.check("abcd1234");
    
    // Add in extra files for additional checks and better results
    strengthTester.addCommonPasswords(taiPasswordStrength.commonPasswords);
    strengthTester.addTrigraphMap(taiPasswordStrength.trigraphs);
    var betterResults = strengthTester.check("abcd1234");
    
    if (betterResults.strengthCode.indexOf('WEAK') >= 0) {
        throw new Error("Your password is too weak");
    }
    

    Install

    npm i tai-password-strength

    DownloadsWeekly Downloads

    2,342

    Version

    1.1.2

    License

    MIT

    Unpacked Size

    596 kB

    Total Files

    21

    Last publish

    Collaborators

    • avatar