Password Strength Meter (a jquery plugin)
Password Strength Meter is a jQuery plug-in provide you smart algorithm to detect a password strength.
The Password strength procedure is working as the follow:
We have many cases to care about to know a password strength , so we will present a global variable score , and each case will add some points to score.
At the end of the algorithm we will decide the password strength according to the score value.
The cases we have are :
- If the password matches the username then BadPassword
- If the password is less than 4 characters then TooShortPassword
- Score += password length * 4
- Score -= repeated characters in the password ( 1 char repetition )
- Score -= repeated characters in the password ( 2 char repetition )
- Score -= repeated characters in the password ( 3 char repetition )
- Score -= repeated characters in the password ( 4 char repetition )
- If the password has 3 numbers then score += 5
- If the password has 2 special characters then score += 5
- If the password has upper and lower character then score += 10
- If the password has numbers and characters then score += 15
- If the password has numbers and special characters then score += 15
- If the password has special characters and characters then score += 15
- If the password is only characters then score -= 10
- If the password is only numbers then score -= 10
- If score > 100 then score = 100
Now according to score we are going to decide the password strength
- If 0 < score < 34 then BadPassword
- If 34 < score < 68 then GoodPassword
- If 68 < score < 100 then StrongPassword
in the code, it has 1000 instead of 100.
Allright, It’s ok now.
thank you
are you phiras
Wow, nice plugin. One suggestion. You might want to make a demo with a graphic visualization of the strength. Microsoft and Google both do this. Like red 50px bar for weak, yellow 100px for medium, 150px green for strong. I think this is doable right out of the box, but it makes for a compelling demo.
Again, awesome work!
Thank you Glen,Nice idea
.
I’ll work on this soon .
[...] using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU [...]
[...] he visto en Phiras’s Blog, y se trata de una función que nos devolverá el tipo de contraseña que estamos [...]
is there any way to distinguish between random letters and words, or does the distinction make no difference as far as password strength?
IOW, is HbeqqpTvnmlzdn any better than StrongPassword as a password?
“HbeqqpTvnmlzdn” is WAY better than “StrongPassword”, as the first one would require an exhaustive brute-force attack, while the latter one could be broken with a simple dictionary attack. Ignoring the case (to simplify the calculation), the first would need an average of 3*(10^19) operations, while the latter would be broken for sure after 1.5*(10^13) operations using an extremely large dictionary and 100 billion attempts using a small dictionary. That means, the first one would need AT LEAST about 2 billion times the time to break compared to the first one. As dictionary attacks are the only thing anyone might even consider trying against a web application, the first password would be unbreakable, while the second one would give the attacker a slight chance. However, if the attacker managed to test 10 passwords per second using a small dictioary of 10000 words, the probability that he manages to beak the password within a week is 6% - and the wordpress admin team should notice someone hammering their server with 10 wrong auth requests per second within less than a week.
Additionally, the “password strength meter” considers “0123456789″ to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)
If anyone wants to hack some blogs, he is going to do a simple dictionary attack, without going for passwords consisting of two words, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect you. If anyone wants to hack exactly YOUR block, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even a password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.
[...] believe that this is highly relevant for ALL bloggers. I could not find a WordPress plugin for the password strength meter without JQuery but that would be a very useful tool to have. Remember, the weakest link in our [...]
hmm , in fact this is a simple solution (My work) , If we want to handle more complicated cases we need to do it on the server-side because we are going to use a dictionary and another detection approaches.
We can’t do a lot of work to detect the password strength on the client browser (fully client script) , and I’m working to improve it as possible
[...] ported the jQuery Password Strength Meter from JavaScript to [...]
[...] to measure password strength. He gives points to certains characteristics of the password. Here’s the link. Worth a look. Posted by dante regis Filed in [...]
[...] Strength is a stand-alone port of the WordPress.com feature written by Donncha1 and uses the same Password Strength Meter jQuery goodness, written by [...]
I’ve mention the following idea elsewhere, but if you are having trouble thinking of decent passwords that you can remember, check out my passwords for scientists concept.
http://www.sciencetext.com/passwords-for-scientists.html
Dave B
[...] believe that this is highly relevant for ALL bloggers. I could not find a WordPress plugin for the password strength meter without JQuery but that would be a very useful tool to have. Remember, the weakest link in our [...]
[...] ha usado este código de Phiras, usuario de wordpress.com, que es un plugin para jQuery. Una solución elegante para recordar la [...]
One suggestion:
If the password *contains* the username (it’s no important the position), it’s going to be a bad password.
Example:
for username = paquito
bad passwords = paquito1 / 1paquito / 1paquito1 / paquitopaquito
great script…thank you
Is the number of similar characters really that important? isn’t it just the combination of letters that do the trick? (Of cause, ‘aaaaaaaa’ is not a good password, but ‘bl0k0t0′ is pretty strong, no?
[...] Password Strength Meter está diseñado para medir la fortaleza de nuestras contraseñas, ideal para un sistema de altas. [...]
Thanks a load! Very helpful!
http://ohlabundi.biz/tramadol/directplanetdnsnet-link-sale-tramadol-zdd.php
I’m trying to use your password strength meter code but I don’t need the HTML file to be named “Index.html”. When I changed it’s name it no longer worked. I edited the 2 js programs and cannot find where the name is referenced. How can I still make this work? Thank you.
Actually I just changed the name back to Index.html and ftp’d it over and brought it up on the browser and it still doesn’t work. The 2 js files are on the web server too in the same root folder. What am I doing wrong?
password_1 is a strong password; excellent. My credit card is secure.
Seriously though, great program.
very interesting, but I don’t agree with you
Idetrorce
It could be useful to don’t let users use bad passwords in registrations, not only advise them.
Is it possible?
Yes it’s possible, you should use the algorithm in a different logic.
There are comments
// checkRepetition(1,’aaaaaaabcbc’
= ‘abcbc’
= ‘aabc’
= ‘aabcd’
// checkRepetition(2,’aaaaaaabcbc’
// checkRepetition(2,’aaaaaaabcdbcd’
in passwordStrengthMeter.js.
But after execution checkRepetition return
abcbc
aaabc
aaabcdbcd
Is it mistake? What can this function do?
Yes there is a mistake in this function,
will be fixed soon.
Yeah, work on a visual password strength display too.
is it working with J2EE ?
Yep, working
[...] bukan wordpress.com alias wordpress.org bisa mendapatkan pluginnya di sini. Tulisan ini terinspirasi oleh ini, itu dan inu. Ditulis oleh [...]
nice passwords strength tips, keep on with the good posts!
Nice blog, keep on going !
1234567891011121314 = strong
Will be broken in a matter of minutes.
Brilliant ideas flowing here, keep it up.
1234567891011121314 is a 19 character consist of digits only (9 options for each character), not following a clear pattern , this means : the probabilty to get this password is : 1/9^19 (1/1350851717672992089).
I don’t think there is any algorithm could break it in minutes
[...] JQuery Password Strength Meter - Password Strength Meter is a jQuery plug-in that provides a smart algorithm to detect a passwords strength. The Password strength works on a point structure that if you pass a certain test than more points will be added and in turn your password will be more secure. [...]
I moved your algorithm over to Python for a project I’m doing, and I noticed that the password “abc123″ got through as “good”, but was actually an early one that was cracked using John the Ripper. I don’t know if there’s any way to check for patterns (alphabetic, numeric, keyboard), but it does make the password a lot weaker when a pattern is present.
Overall, I’d say your algorithm looks great. Thanks for putting it here.
I came up with a partial solution to finding patterns.
I subtracted 3 points for every character that is one character away from the previous in the password (using the ord function in Python).
Keyboard patterns is kind of hard, but I figure “qwer” (followed by “ty” most of the time) and “asdf” are more common than anything else as a keyboard pattern, so I simply searched for those two strings, and subtracted 10 if they were found.