jQuery Password Strength Plugin
passStrengthify is a jQuery plugin to estimate password strength. It uses simple statistical analysis to try to determine if a password is strong.
Download the: full source or minified source.
Usage is simple:
passStrengthify accepts the following options:
This jQuery plugin to estimate password strength differs from other similar plugins in the way that it analyses text; it uses the concept of entropy to judge the strength of a password (i.e. it tries to calculate its equivalence to n bits of random data). This is better than many similar plugins which run a few regular expression tests, because these tests often do not carry equal weighting but are portrayed linearly to the user, which can be very misleading as to the real strength of the password. Furthermore, the authors often have a very generous idea of what constitutes a strong password anyway: they seem to operate on the assumption that a naive brute force search would be all an attacker would use. In reality a smart attacker would work probabilistically, favouring 'more likely' sequences of and groupings characters.
Unfortunately, entropy is a pretty hard thing to measure while remaining applicable to real life, as it's so subjective: it's an attempt to measure uncertainty or the unknown, and it's hard to say exactly how much an attacker knows. From a practical perspective: this plugin has a very basic understanding of a few things a strong password cracking program would: it understands frequency distribution of alphabetic characters in the first and second order (i.e. individual letters and sequences of two letters). It also has some artificial limitations on what will increase the entropy, like trailing numbers aren't as important as a truly mixed alphanumeric sequence (compare the password space for 6 alphabetic chars followed by two numbers: 266 + 102 ≈ 266 ≈ 228 as opposed to 8 mixed alphanumeric chars: 368 ≈ 241, a staggering difference!). Similarly, long runs of repetition aren't very impressive, and nor are obvious sequences (abc, 123, etc).
Obviously there are a few other 'implementation' shortcomings:
- There's no support for specific validation except for a minimum length.
- It doesn't know about actual words. Redistributing a wordlist on every page-load seems a little heavy, although this could be achieved with an AJAX extension, but...
- ...it's not AJAX extensible. I don't like the idea of transmitting the password on every keystroke, it's an obvious invitation to abuse of security and privacy. Therefore I'm not going to provide an easy-to-use interface to it.
- It's tailored to English and ASCII.