jQuery Password Strength Plugin

passStrengthify is a jQuery plugin to estimate password strength. It uses simple statistical analysis to try to determine if a password is strong.

Download

Download the: full source or minified source.

Usage

Usage is simple:

Options

passStrengthify accepts the following options:

element: (jQuery object)

Sets the container for the output element

labels: {
    passwordStrength: 'Password Strength:',
    tooShort: 'Too short'
}

Labels used to change the displayed text

levels: (Array<String>)
colours: (Array<String>)
tests: (Array<RegEx>)

The levels/colours/tests arrays are as follows:
levels - a list of descriptions where each index corresponds to the number of tests passed
colours - a list of colours which correspond to the number of tests passed
tests - a list of regex tests to perform (match == pass)
If any of these are given, the size of levels and colours must be equal and it must be one greater than the size of 'tests'. The default size of tests is 8. The first colour is used as the default background colour.

minimum: (int >= 0)

Sets the minimum password length

rawEntropy: (bool)

Toggles raw entropy (bits) display

security: (int) [0, 3) (default: 1)

Security level

Description

This jQuery plugin to estimate password strength differs from other similar plugins in the way that it analyses text; it uses the concept of entropy to judge the strength of a password (i.e. it tries to calculate its equivalence to n bits of random data). This is better than many similar plugins which run a few regular expression tests, because these tests often do not carry equal weighting but are portrayed linearly to the user, which can be very misleading as to the real strength of the password. Furthermore, the authors often have a very generous idea of what constitutes a strong password anyway: they seem to operate on the assumption that a naive brute force search would be all an attacker would use. In reality a smart attacker would work probabilistically, favouring 'more likely' sequences of and groupings characters.

Unfortunately, entropy is a pretty hard thing to measure while remaining applicable to real life, as it's so subjective: it's an attempt to measure uncertainty or the unknown, and it's hard to say exactly how much an attacker knows. From a practical perspective: this plugin has a very basic understanding of a few things a strong password cracking program would: it understands frequency distribution of alphabetic characters in the first and second order (i.e. individual letters and sequences of two letters). It also has some artificial limitations on what will increase the entropy, like trailing numbers aren't as important as a truly mixed alphanumeric sequence (compare the password space for 6 alphabetic chars followed by two numbers: 266 + 102 ≈ 266 ≈ 228 as opposed to 8 mixed alphanumeric chars: 368 ≈ 241, a staggering difference!). Similarly, long runs of repetition aren't very impressive, and nor are obvious sequences (abc, 123, etc).

Obviously there are a few other 'implementation' shortcomings:

  1. There's no support for specific validation except for a minimum length.
  2. It doesn't know about actual words. Redistributing a wordlist on every page-load seems a little heavy, although this could be achieved with an AJAX extension, but...
  3. ...it's not AJAX extensible. I don't like the idea of transmitting the password on every keystroke, it's an obvious invitation to abuse of security and privacy. Therefore I'm not going to provide an easy-to-use interface to it.
  4. It's tailored to English and ASCII.