@Update : Password Strength Meter V2 , new UI improvements.
Password Strength Meter is a jQuery plug-in provide you smart algorithm to detect a password strength.
The Password strength procedure is working as the follow:
We have many cases to care about to know a password strength , so we will present a global variable score , and each case will add some points to score.
At the end of the algorithm we will decide the password strength according to the score value.
The cases we have are :
- If the password matches the username then BadPassword
- If the password is less than 4 characters then TooShortPassword
- Score += password length * 4
- Score -= repeated characters in the password ( 1 char repetition )
- Score -= repeated characters in the password ( 2 char repetition )
- Score -= repeated characters in the password ( 3 char repetition )
- Score -= repeated characters in the password ( 4 char repetition )
- If the password has 3 numbers then score += 5
- If the password has 2 special characters then score += 5
- If the password has upper and lower character then score += 10
- If the password has numbers and characters then score += 15
- If the password has numbers and special characters then score += 15
- If the password has special characters and characters then score += 15
- If the password is only characters then score -= 10
- If the password is only numbers then score -= 10
- If score > 100 then score = 100
Now according to score we are going to decide the password strength
- If 0 < score < 34 then BadPassword
- If 34 < score < 68 then GoodPassword
- If 68 < score < 100 then StrongPassword
Online demo.
PasswordStrengthMeter.zip
@Update : this work is CC licensed
Password strength meter by Firas I. Kassem is licensed under a Creative Commons Attribution 3.0 Unported License.
@fiso on twitter
@Update : Password Strength Meter V2 , new UI improvements.
Phiras\'s Blog 
in the code, it has 1000 instead of 100.
Comment by jss — May 9, 07 @ 1:20 am
Allright, It’s ok now.
thank you 🙂
Comment by phiras — May 9, 07 @ 8:33 am
are you phiras
Comment by karam — May 28, 07 @ 11:21 pm
Wow, nice plugin. One suggestion. You might want to make a demo with a graphic visualization of the strength. Microsoft and Google both do this. Like red 50px bar for weak, yellow 100px for medium, 150px green for strong. I think this is doable right out of the box, but it makes for a compelling demo.
Again, awesome work!
Comment by Glen Lipka — June 1, 07 @ 5:40 pm
Thank you Glen,Nice idea 🙂 .
I’ll work on this soon .
Comment by phiras — June 1, 07 @ 9:49 pm
[…] using this code by Phiras. Thank you Phiras for making it available! I’m going to integrate this into WPMU […]
Pingback by How strong is your password? « WordPress.com — June 7, 07 @ 12:38 pm
[…] he visto en Phiras’s Blog, y se trata de una función que nos devolverá el tipo de contraseña que estamos […]
Pingback by Controla la seguridad de tus contraseñas con JS | aNieto2K — June 7, 07 @ 2:05 pm
is there any way to distinguish between random letters and words, or does the distinction make no difference as far as password strength?
IOW, is HbeqqpTvnmlzdn any better than StrongPassword as a password?
Comment by jd2718 — June 7, 07 @ 2:17 pm
“HbeqqpTvnmlzdn” is WAY better than “StrongPassword”, as the first one would require an exhaustive brute-force attack, while the latter one could be broken with a simple dictionary attack. Ignoring the case (to simplify the calculation), the first would need an average of 3*(10^19) operations, while the latter would be broken for sure after 1.5*(10^13) operations using an extremely large dictionary and 100 billion attempts using a small dictionary. That means, the first one would need AT LEAST about 2 billion times the time to break compared to the first one. As dictionary attacks are the only thing anyone might even consider trying against a web application, the first password would be unbreakable, while the second one would give the attacker a slight chance. However, if the attacker managed to test 10 passwords per second using a small dictioary of 10000 words, the probability that he manages to beak the password within a week is 6% – and the wordpress admin team should notice someone hammering their server with 10 wrong auth requests per second within less than a week.
Additionally, the “password strength meter” considers “0123456789” to be a good password. In reality, a dictionary attack would break it within quite a short time (I think about 20000 attempts at max.)
If anyone wants to hack some blogs, he is going to do a simple dictionary attack, without going for passwords consisting of two words, so nearly ANY password not in a password cracking dictionary (qwertz, 123456, asdf and similar things ARE in such dictionaries) will protect you. If anyone wants to hack exactly YOUR block, he WILL infect your pc with a trojan and steal the password or sniff it from a network you use, and then even a password like f”gh&&sah/svSD13″bjh+§#gHW23= is not going to help you.
Comment by Jan — June 7, 07 @ 2:53 pm
[…] believe that this is highly relevant for ALL bloggers. I could not find a WordPress plugin for the password strength meter without JQuery but that would be a very useful tool to have. Remember, the weakest link in our […]
Pingback by Weblog Tools Collection » Blog Archive » How strong is your password? — June 7, 07 @ 3:24 pm
hmm , in fact this is a simple solution (My work) , If we want to handle more complicated cases we need to do it on the server-side because we are going to use a dictionary and another detection approaches.
We can’t do a lot of work to detect the password strength on the client browser (fully client script) , and I’m working to improve it as possible
Comment by phiras — June 8, 07 @ 10:57 pm
[…] ported the jQuery Password Strength Meter from JavaScript to […]
Pingback by PHP Password Strength Algorithm at Alix Axel Weblog — June 9, 07 @ 2:43 am
[…] to measure password strength. He gives points to certains characteristics of the password. Here’s the link. Worth a look. Posted by dante regis Filed in […]
Pingback by Measuring Password Strength « ditoinfo in english — June 11, 07 @ 4:50 pm
[…] Strength is a stand-alone port of the WordPress.com feature written by Donncha1 and uses the same Password Strength Meter jQuery goodness, written by […]
Pingback by How Strong is YOUR Password? at Incoherent Babble — June 13, 07 @ 2:33 am
I’ve mention the following idea elsewhere, but if you are having trouble thinking of decent passwords that you can remember, check out my passwords for scientists concept.
http://www.sciencetext.com/passwords-for-scientists.html
Dave B
Comment by David Bradley — June 15, 07 @ 6:58 am
[…] believe that this is highly relevant for ALL bloggers. I could not find a WordPress plugin for the password strength meter without JQuery but that would be a very useful tool to have. Remember, the weakest link in our […]
Pingback by RiverlandPages » How strong is your password? — June 17, 07 @ 12:47 am
[…] ha usado este código de Phiras, usuario de wordpress.com, que es un plugin para jQuery. Una solución elegante para recordar la […]
Pingback by Medidor de seguridad en contraseñas » La mate por un yogur — June 18, 07 @ 11:32 pm
One suggestion:
If the password *contains* the username (it’s no important the position), it’s going to be a bad password.
Example:
for username = paquito
bad passwords = paquito1 / 1paquito / 1paquito1 / paquitopaquito
Comment by Zheileman — June 20, 07 @ 1:51 pm
great script…thank you
Comment by Yash — June 21, 07 @ 5:17 pm
Is the number of similar characters really that important? isn’t it just the combination of letters that do the trick? (Of cause, ‘aaaaaaaa’ is not a good password, but ‘bl0k0t0’ is pretty strong, no?
Comment by Gasten — June 26, 07 @ 2:56 pm
[…] Password Strength Meter está diseñado para medir la fortaleza de nuestras contraseñas, ideal para un sistema de altas. […]
Pingback by Propiedad Privada » Blog Archive » De web varia — July 3, 07 @ 9:43 am
Thanks a load! Very helpful!
Comment by Ronda — August 9, 07 @ 6:44 am
http://ohlabundi.biz/tramadol/directplanetdnsnet-link-sale-tramadol-zdd.php
Comment by Yearby — September 6, 07 @ 3:51 am
I’m trying to use your password strength meter code but I don’t need the HTML file to be named “Index.html”. When I changed it’s name it no longer worked. I edited the 2 js programs and cannot find where the name is referenced. How can I still make this work? Thank you.
Comment by Janis — September 13, 07 @ 8:25 pm
Actually I just changed the name back to Index.html and ftp’d it over and brought it up on the browser and it still doesn’t work. The 2 js files are on the web server too in the same root folder. What am I doing wrong?
Comment by Janis — September 13, 07 @ 8:29 pm
password_1 is a strong password; excellent. My credit card is secure.
Seriously though, great program.
Comment by Marco — December 9, 07 @ 5:40 am
very interesting, but I don’t agree with you
Idetrorce
Comment by Idetrorce — December 15, 07 @ 6:37 pm
It could be useful to don’t let users use bad passwords in registrations, not only advise them.
Is it possible?
Comment by Alessandro Ronchi — December 23, 07 @ 1:33 pm
Yes it’s possible, you should use the algorithm in a different logic.
Comment by phiras — December 31, 07 @ 1:06 am
There are comments
// checkRepetition(1,’aaaaaaabcbc’) = ‘abcbc’
// checkRepetition(2,’aaaaaaabcbc’) = ‘aabc’
// checkRepetition(2,’aaaaaaabcdbcd’) = ‘aabcd’
in passwordStrengthMeter.js.
But after execution checkRepetition return
abcbc
aaabc
aaabcdbcd
Is it mistake? What can this function do?
Comment by Andrey Grigorov — January 3, 08 @ 10:04 am
Yes there is a mistake in this function,
will be fixed soon.
Comment by phiras — January 3, 08 @ 11:44 am
Yeah, work on a visual password strength display too.
Comment by mark — January 25, 08 @ 11:21 pm
is it working with J2EE ?
Comment by iPhone — February 18, 08 @ 1:31 pm
Yep, working
Comment by Wallpapers iPhone — March 2, 08 @ 1:24 am
[…] bukan wordpress.com alias wordpress.org bisa mendapatkan pluginnya di sini. Tulisan ini terinspirasi oleh ini, itu dan inu. Ditulis oleh […]
Pingback by Kekuatan PassWord « Panduan Tidak Resmi Wordpress.com — March 3, 08 @ 2:52 am
nice passwords strength tips, keep on with the good posts!
Comment by Blogono Wordpress-MU — March 3, 08 @ 1:17 pm
Nice blog, keep on going !
Comment by Prix iPhone — March 4, 08 @ 5:27 am
1234567891011121314 = strong
Will be broken in a matter of minutes.
Brilliant ideas flowing here, keep it up.
Comment by test — March 18, 08 @ 10:50 am
1234567891011121314 is a 19 character consist of digits only (9 options for each character), not following a clear pattern , this means : the probabilty to get this password is : 1/9^19 (1/1350851717672992089).
I don’t think there is any algorithm could break it in minutes 😉
Comment by phiras — March 18, 08 @ 12:18 pm
[First question]
—————–
With “1/9^19 (1/1350851717672992089)” you mean
(1/9)^19*(1/1350851717672992089)
or
1/(9^19)*(1/1350851717672992089)
or
1/(9^19)=(1/1350851717672992089)?
**********************************************************************
[Second question]
—————–
How to calculate how many guesses have to do a bruteforce program for “1234567891011121314” password? This expression is correct:
[1*(10^18)]+[2*(10^17)]…[3*(10^2)]+[1*(10^1)]+[4*(10^0)]?
**********************************************************************
Thanks.
Comment by Cyberx — November 1, 10 @ 3:40 am
[…] JQuery Password Strength Meter – Password Strength Meter is a jQuery plug-in that provides a smart algorithm to detect a passwords strength. The Password strength works on a point structure that if you pass a certain test than more points will be added and in turn your password will be more secure. […]
Pingback by Collection of Password Strength Scripts | WebTecker the latest tech, web resources and news. — March 26, 08 @ 9:06 pm
I moved your algorithm over to Python for a project I’m doing, and I noticed that the password “abc123” got through as “good”, but was actually an early one that was cracked using John the Ripper. I don’t know if there’s any way to check for patterns (alphabetic, numeric, keyboard), but it does make the password a lot weaker when a pattern is present.
Overall, I’d say your algorithm looks great. Thanks for putting it here.
Comment by Brad Landis — April 1, 08 @ 10:27 pm
I came up with a partial solution to finding patterns.
I subtracted 3 points for every character that is one character away from the previous in the password (using the ord function in Python).
Keyboard patterns is kind of hard, but I figure “qwer” (followed by “ty” most of the time) and “asdf” are more common than anything else as a keyboard pattern, so I simply searched for those two strings, and subtracted 10 if they were found.
Comment by Brad Landis — April 1, 08 @ 10:41 pm
Nice code and algorithm! I have created a VB version of your Password Meter based from the algorithm for use with my own applications. And I would just like to inform you and seek your permision to submit the VB version in planetsourcecode.com, of course due credit will be given to you.
Thanks!
Comment by radztech — July 3, 08 @ 9:47 am
[…] nice password meter algorithm can be found here by Phiras Kassam. From the said algorithm I made a VB function and submitted it in PSC, check it […]
Pingback by RADZTECH » Blog Archive » Password Meter — July 8, 08 @ 10:03 am
Hi, I am looking at your script and looks great, just what I need at the moment. Only one thing, when I type only numbers or letters the score should be negative.
When typing: 1010101010101010101 It now says your password is strong but in my opinion this should not be possible.
Is there a way how I can’t make it possible to type only numers or letters?
Comment by Ischa — July 22, 08 @ 2:24 pm
[…] by Donncha ((Or is it that cat that does all the work? I never can tell…)) and uses the same Password Strength Meter jQuery goodness, written by Phiras!DownloadReady? Set. Goooooo! password_strength-1.0Note […]
Pingback by How Strong is YOUR Password? - Habari — August 30, 08 @ 8:08 pm
Hello!,
Comment by name — September 1, 08 @ 2:52 am
Very nice algorithm to calculate the number of options needed to crack a password.
Comment by Sam — September 23, 08 @ 1:39 pm
I was looking for such algorithms to calculate the probability of cracking a password. Nice article and comments!
Comment by JK — September 23, 08 @ 1:40 pm
[…] de las contraseñas. Existen sistemas ya desarrollados para ello que podemos implementar, como Password Strength Meter, de Phiras, entre muchos otros que se encuentran […]
Pingback by El modelo de registro de usuarios lógico | zumodered — September 26, 08 @ 1:03 pm
Hello, Do something for help those hungry people from Africa and India,
I made this blog about them:
on http://tinyurl.com/65dptv
Comment by cheritycall — October 27, 08 @ 10:21 pm
[…] Stemkoski found Phiras’s blog post about a jQuery strength tester. Which I used and modified to reduce all need for any […]
Pingback by » Javascript Password generation and strength testing. | Sheldon Lendrum — November 4, 08 @ 10:10 pm
Hi there!
I have modified your script to include a progress bar (animated) and was looking to send you it, cant find your email on the site though 😦
Can you email me on the address entered on this comment and ill send it through to you.
Cheers
Dave the Ninja
Comment by Dave the Ninja — November 5, 08 @ 1:26 pm
Was looking for exactly this thing. Going to integrate it straight away in the project (Still UC)
Comment by Aamir Afridi — November 17, 08 @ 1:57 am
What licence is this code released under? Creative Commons? Commercial usage?
Thanks!
Comment by Richy C. — January 21, 09 @ 1:17 pm
Well, it’s CC licensed now.
Comment by phiras — February 7, 09 @ 1:38 am
great script ……phiras thanks[:)],
if u have updated this code with the animated progress bar… Can you email me.
Comment by Rose — February 18, 09 @ 9:54 am
Check out the software “PasswordGeek”..
it checks for strength of the password as well as helps in storing all of ur passwords.. You need to remember only your master password rather than remembering all of ur gmail/yahoo/facebook passwords..
It has got GPL too..
You can report for any bugs..
Comment by ssn — April 1, 09 @ 10:39 am
the link to the software is :
http://sourceforge.net/projects/passwordgeek/
Comment by ssn1 — April 1, 09 @ 10:40 am
Makasih Banyak kang Phiras….. :d
Comment by Tukang Sound System — April 11, 09 @ 1:57 am
Thanks for sharing 🙂 great script
Comment by danilo — April 12, 09 @ 1:00 am
In the script password1 counts as a good password, which obviously it isn’t. A simple preg_match could check for common passwords:
$badwords = array(‘password’, ‘12345’, ‘123456789’);
if(preg_match(“/\b”.$password.”\b/i”, $badwords)) return $strength;
If anyone has a list of common passwords we could easily adapt it.
Comment by ashley — April 27, 09 @ 2:28 pm
Common passwords: http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php
Comment by ashley — April 27, 09 @ 2:28 pm
Actually, http://www.whatsmypass.com/?p=415
Comment by ashley — April 27, 09 @ 2:33 pm
[…] jQuery Password Strength Meter Plugin […]
Pingback by 10 Password Strength Meter Scripts For A Better Registration Interface :: Graficznie — May 7, 09 @ 11:56 am
[…] jQuery Password Strength Meter Plugin (jQuery) […]
Pingback by 10 gestores de complejidad de contraseñas en Javascript | aNieto2K — May 10, 09 @ 1:29 pm
[…] jQuery Password Strength Meter Plugin (jQuery) […]
Pingback by 10 gestores de complejidad de contraseñas en Javascript : Blogografia — May 12, 09 @ 7:32 pm
[…] http://plugins.jquery.com/project/pstrength or https://phiras.wordpress.com/2007/04/08/password-strength-meter-a-jquery-plugin/ […]
Pingback by Controles JQuery equivalentes a Ajax Control Toolkit - Chalalo Land — May 26, 09 @ 5:24 pm
[…] Site: https://phiras.wordpress.com/2007/04/08/password-strength-meter-a-jquery-plugin/ […]
Pingback by jQuery Password Strength Meter | Links Web — June 13, 09 @ 5:42 pm
When trying to implement this in Adobe AIR i get following error message!
TypeError: Value undefined does not allow function calls. When this function is initialized
$(‘.personPopupTrigger’).live(‘mouseover’, function()..
Any idea?
Comment by ZK@Web Marketing Blo — June 21, 09 @ 9:29 am
[…] Password Strength Meter is a JQuery plugin that uses a smart algorithm to determine the password strength. For instance, if the password matches the username it will be “bad”; if it is less then 4 characters is is “too short”; if it is long and contains letter, numbers and non-alphanumeric characters it is a “strong” password. […]
Pingback by 6 Free Password Strength Meter Scripts – For secure registrations — July 27, 09 @ 12:44 pm
[…] Password Strength Meter […]
Pingback by XanelaWeb – Diseño y Web » Contraseñas seguras con JavaScript — August 4, 09 @ 10:56 am
Nice…. very simple and functional!!!
Comment by Vinidog — August 13, 09 @ 9:01 am
Thanks for your work!
Only – passwords “1234567890” and “0123456789” both are evaluated as “Good”. Typical test user passwords… 🙂
Comment by Artūrs Gailītis — August 27, 09 @ 5:30 pm
Thank’s for the algorithm sharing.
Comment by hanum — October 13, 09 @ 4:08 pm
[…] Password Strength Meter (a jquery plugin)Password Strength Meter is a jQuery plug-in to provide you a smart algorithm that can detect the strength of a password. […]
Pingback by 35 More Useful jQuery Plugins and Techniques « Tech7.Net — October 29, 09 @ 8:33 pm
[…] Password Strength Meter (a jquery plugin) Password Strength Meter is a jQuery plug-in to provide you a smart algorithm that can detect the strength of a password. […]
Pingback by 35 More Useful jQuery Plugins and Techniques | Theme Center — November 21, 09 @ 3:19 pm
[…] Password Strength Meter (a jquery plugin) […]
Pingback by Plugin JQuery untuk Form di Web- Titan Integra — December 4, 09 @ 4:51 am
hi…..this was really cool code ….i used it and worked really well….thnx…
Comment by rohit — January 11, 10 @ 10:54 am
thanks man good post.
Comment by Peter — January 23, 10 @ 10:01 pm
A provider of mine provided this script for me to use. Thanks for coding this. But I have different set of parameters I have to customize. I know how to change a few settings but the score value is what I cant seem to get correct. Here are my requirements.
* Must be at least 8 characters
* Must contain at least one one lower case letter
* Must contain at least one upper case letter
* Must contain one numerical digit
* Must contain one special character e.g. @#_$%^&+=
How do I adjust my score to reflect that its a strong password once this is met?
Thanks for any assistance.
Comment by Chuck — April 9, 10 @ 11:22 pm
Hey,
Very nice plug-in.
really needful.
Comment by siddharth — May 6, 10 @ 2:41 pm
Chuck,
I would say 8 chars is a rather low score, slow increase for score after max char count
Upper case and lower case should be joined in score (low score) slow increase in score again
One numeric digit is high score, two is higher fast rising
One special char is high score, two is higher fast rising
alphanumeric combinations that do not fit an dictionary or pattern (1 after or before) are wildcards and can tip a passwords security depending on what is put.
That’s the point system I would use
Comment by sammaye — May 17, 10 @ 5:12 pm
Hi Sammaye,
I appreciate your reply, but I guess I am kinda lost on your response on how to score it according to the scripts, scoring parameter settings.
I do have to have it a least 8 characters but maximum of 16 with the same parameters as originally stated.
Can you give me an example on how you would modify the scoring in the script file?
-Chuck
Comment by Chuck — May 17, 10 @ 6:00 pm
Hi Chuck,
I’m not sure if it’s the code reply or the theory reply you want but since I haven’t looked at this code properly yet (haven’t had a chance) I’ll give the theory based reply:
– If password matches username bad password score = 0
– If password is less than 3 characters score = 0
– If password is 3 chars long add 10 points. Do not add score until password length is 8. This will make the score = 10 until password reaches minimum requirements. After 8 characters add 2 points for each letter.
– Now to deal with lower case and upper we will say that 1 and only 1 lower case is worth 5 points. Multiple lower case do not get points.
– 1 Upper case letter gets 5 points.
– 3 upper case letters spread out (1 or more lower case letters or digits in between) gets 15 points
– for both lower and uppper case add 15 points
– 1 number in password gets 5 points
– 2 numbers 2 upper case spread out (not bunched together i.e. as an example of what wouldnt pass out score frED123) gets 15 points
– if password has 1 special character score is 15 points
– if password has numbers, letters and special characters thats 15 points
– if password is all letters -60 points
– if password is all numbers -60 points
– if password is common -80 points
I know that don’t add up to 100 but that should give you an idea of what to do. There may be one or two clauses I ain’t thought of but overall thats a good start.
Comment by sammaye — May 18, 10 @ 8:42 pm
Hi Sammaye
I appreciate your scoring methodology. This will help as I try to modify the file. I was actually looking for a code reply of this module. But I do see where you are going with it. Ill look into the file and give it a go.
Thanks again for your response. Much appreciated.
-Chuck
Comment by Chuck — May 19, 10 @ 12:05 am
[…] hab ich einfach jetzt nicht. Wenn ich mal Zeit habe dann würde ich sicherlich probieren, meine Features in etwa wie hier auszubauen. Ein Großteil davon hat sich an 1, 2 Tagen aber nicht realisieren […]
Pingback by Passwortstärke Analyzer mit jQuery und CSS | Programmierung | IMA - Informationen Mal Anders — June 4, 10 @ 1:31 pm
I want to use this on a user info maintenance screen, and I need the keyup function to fire when the page is loaded, not just when the user hits a key in the password field. How do I do this?
Comment by Jeremy — June 7, 10 @ 4:37 pm
Jquery can do this. If you trigger a keyup action on document ready it will accomplish this action
Comment by sammaye — June 10, 10 @ 3:30 pm
[…] No permite otros caracteres. (El algoritmo y el script que utilizan está disponible y explicado aquí). Hasta aquí bien, salvo el detalle del párrafo […]
Pingback by ¿Qué le hicieron a mi banco? | Bitácora de Germán Póo-Caamaño — July 12, 10 @ 2:27 am
[…] bukan wordpress.com alias wordpress.org bisa mendapatkan pluginnya di sini. Tulisan ini terinspirasi oleh ini, itu dan inu. Ditulis oleh […]
Pingback by Kekuatan Pasword | Panduan Bisnis Syariah — July 29, 10 @ 8:52 am
Very curious topic
Comment by fax software — August 12, 10 @ 10:27 am
[…] Password – Ele monitora e exibe a força da senha digitada. Dentre os que pesquisei, achei este o mais […]
Pingback by 20 Plugins para jQuery | Renan Lima — September 2, 10 @ 10:12 pm
[…] Password Strength Meter (a jquery plugin) Password Strength Meter is a jQuery plug-in to provide you a smart algorithm that can detect the strength of a password. […]
Pingback by 35 More Useful jQuery Plugins and Techniques « Alanalanya's Blog — September 21, 10 @ 11:22 am
i was downloaded ur script.
but ur tutorial on index.html
my task on index.php
but no working ur script on my task ??
Comment by www.bung-gratis.blogspot.com — November 18, 10 @ 8:26 am
Please checkout the Google like password stength meter
http://www.meosys.com/WEB/webdemo.iface
Comment by Meosys — December 1, 10 @ 1:19 am