npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

pbrute

v0.3.2

Published

A password strength calculator

Downloads

1

Readme

PBrute

A dependency-free, feature-rich and modern password strength calculator for NodeJS and the browser


npm badge

Quickstart

const PBrute = require('pbrute');

const pbrute = new PBrute();
pbrute.calculate('password');

{
  combinations: 208827064576n,
  time: {
    md5: 3788n,
    sha1: 12298n,
    sha256: 27294n,
    bcrypt: 73401428n,
    ntlm: 2684n,
    owasp: 208827064576000n,
    online: 626481193728000n
  },
  optimistic: '3 seconds',
  likely: 'instant',
  pessimistic: 'instant',
  messages: [
    {
      type: 'common',
      text: 'Common password: The top 0 most common password'
    },
    { type: 'length', text: 'Length: Short' },
    {
      type: 'variety',
      text: 'Character variety: Just lowercase letters'
    }
  ]
}
// Get occurances in the Have I Been Pwnd API
await pbrute.haveIBeenPwnd('password');

3730471

Installing

If you're using PBrute in NodeJS or if you have a build pipeline, install PBrute using NPM.

npm install pbrute

If you're targeting browsers and don't have a build pipeline, build PBrute and select a distribution. The bare builds only contain what's necessary to compute everything. No translation is available and messages etc. will be broken. The translations-only build contains both the core and all of the translations, for user-friendly messages in various langauges. Lastly, the full build contains everyting - core, translations and a password dictionary.

git clone https://github.com/AlexGustafsson/pbrute && cd pbrute
npm run build
ls dist
<script src="./full.min.js"></script>

Running the demo

Simply run npm start and navigate to http://localhost:3000. This is the same site as is hosted over at https://pbrute.axgn.se.

Documentation

Support

The library uses BigInt which is a new addition to JavaScript. It is not yet supported by all browsers. You can follow the up-to-date support here: https://caniuse.com/#feat=bigint.

Configuration

const pbrute = new PBrute({
  // Use Swedish for simplications and messages
  language: 'sv-SE',
  // A custom dictionary for translations (see lib/i18n.json)
  i18n: customDictionary,
  // A sorted list of top passwords
  dictionary: ['password', '123456', 'qwerty'],
  calculationTimes: {
    // Custom time for computing a MD5 hash in milliseconds
    md5: 551200000000n
  }
});

Calculating cracking times

This is the main method provided by PBrute. It calculates cracking time, creates human-readable messages and provides an optimistic, likely and pessimistic crack time.

pbrute.calculate('password');

{
  combinations: 208827064576n,
  time: {
    md5: 3788n,
    sha1: 12298n,
    sha256: 27294n,
    bcrypt: 73401428n,
    ntlm: 2684n,
    owasp: 208827064576000n,
    online: 626481193728000n
  },
  optimistic: '3 seconds',
  likely: 'instant',
  pessimistic: 'instant',
  messages: [
    {
      type: 'common',
      text: 'Common password: The top 0 most common password'
    },
    { type: 'length', text: 'Length: Short' },
    {
      type: 'variety',
      text: 'Character variety: Just lowercase letters'
    }
  ]
}

The combinations value is the number of possible combinations within the identified character set - such as lowercase letters.

The time object contains the number of milliseconds required to brute force the password. Most keys stand for the algorithm used. The key owasp represents the OWASP recommendation that the hashing a password should be tuned to be computed in one second. The online key represents the Google recommendation of a response time in under three seconds.

The optimistic time is a human-readable time (see humanizeTime) for the longest calculated cracking time. The likely time is a human-readble most likely crack time (currently using MD5). The pessimistic time is the fasest calculation time (currently using NTLM).

The messages array contains human-readable messages. One of the message type is common which checks the OWASP top 10 000 passwords found in real leaks. The message type variety contains messages about the size of the character classes contained within the password. The pattern type mentions patterns found in the password.

Simplifying time

This function takes a BigInt of milliseconds, rounds it to the nearest class such as months and returns a human-readable string.

pbrute.humanizeTime(6129261512n);

'2 months'

Check the password towards the Have I Been Pwnd API

This function performs a lookup towards https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange using a k-anonymity model. The password is first hashed using SHA-1, then the first five hashed characters are sent to the API which responds with any found hash starting with the sent prefix. The hashes are then compared locally to securely verify if the password has been found in password leaks.

await pbrute.haveIBeenPwnd('password')

3730471

Contributing

Any contribution is welcome. If you're not able to code it yourself, perhaps someone else is - so post an issue if there's anything on your mind.

Development

# Clone the repository
git clone https://github.com/AlexGustafsson/pbrute

# Enter the directory
cd pbrute

# Install dependencies
npm install

# Follow the conventions enforced
npm run lint
npm run test
npm run coverage
npm run check-duplicate-code
npm run build
npm run integration

# Build for production
npm run build

Disclaimer

Although the project is very capable, it is not built with production in mind. Therefore there might be complications when trying to use the API for large-scale projects meant for the public. The library was created to easily calculate password strength and as such it might not promote best practices nor be performant.