npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

tai-password-strength

v1.1.3

Published

Check password strength

Downloads

29,081

Readme

Password Strength Tester

Password Strength is a library that calculates the relative strength of a password. This is accomplished by using several techniques. Primarily this relies on letter trigraphs, which check each set of 3 characters in a given password. More information on the trigraph calculations is available. This also calculates the entropy bits based on Claude Shannon's technique on determining the number of bits required to represent a set of characters and multiplying it by the length of the password. There is also a check to see if a password is contained in a list of common passwords.

There is a wonderful demo page where you can test out the technology yourself.

npm version Build Status Dependencies Dev Dependencies

Usage

The Password Strength library is wrapped with fid-umd, and is usable in a variety of systems. When you use the .check() method for the password "abcd1234", the results may look like what you see below. Comments are added to explain the fields.

{
    charsetSize: 36,  // Explained better below
    commonPassword: true,  // If true, don't use this password!
    nistEntropyBits: 18, // NIST 800-63, probably not a good measurement
    passwordLength: 8,  // Same as string.length
    shannonEntropyBits: 24,  // Claude Shannon's method
    strengthCode: 'WEAK',  // Our ranking of the password's strength
    trigraphEntropyBits: 39.71755017780513,  // Based on trigraphs
    charsets: {
        number: true,  // Contains 0-9
        lower: true,  // Contains a-z
        upper: false,  // Contains A-Z
        punctuation: false,  // Contains common sentence punctuation
        symbol: false,  // Contains mathematical symbols
        other: ''  // Unicode and uncaught characters
    }
}

The charset size is the sum of the lengths of the different charsets that the password uses. The higher this number, the harder it is to brute force attack. That's precisely why password policies often say "must contain one lowercase letter, one uppercase letter, one number and a symbol".

The strength code is based on the trigraph entropy bits when they are available and will fall back to the Shannon entropy bits. It's one of five values: VERY_WEAK, WEAK, REASONABLE, STRONG, and VERY_STRONG. The NIST scores are based on NIST Special Publication 800-63, but this is considered to not provide an accurate measurement of entropy and is included for completeness and comparison to the other algorithms.

Trigraph entropy bits is discussed more here.

The charsets is mostly an object that has boolean values, except the other property. That one is a catch-all string of the letters that were not caught and tallied into another one of the charset lists. The list of characters in other is deduplicated.

Browser

Include lib/password-strength.js in your project.

<script src="path/to/password-strength.js" />

Next you will want to instantiate the modules and make some AJAX calls to fetch additional data and make the password strength tester more accurate and informative. This bit of code uses jQuery, but similar code can be written for any framework.

$(function () {
    // Create the instance that can be used immediately for strength tests
    window.passwordStrength = new PasswordStrength();

    // Add additional files that improve the results
    $.getJSON("path/to/data/common-passwords.json", function (data) {
        window.passwordStrength.addCommonPasswords(data);
    });
    $.getJSON("path/to/data/trigraphs.json", function (data) {
        window.passwordStrength.addTrigraphMap(data);
    });
});

Later, to calculate the strength of a password you would use something like this:

if (window.passwordStrength) {
    strength = window.passwordStrength.check("abcd1234");

    if (strength.strengthCode.indexOf('WEAK') >= 0) {
        alert("Your password is too weak.");
    }
}

Node.js

First run npm install --save tai-password-strength and then your code would look a bit like this:

var taiPasswordStrength = require("tai-password-strength")
var strengthTester = new taiPasswordStrength.PasswordStrength();
var results = strengthTester.check("abcd1234");

// Add in extra files for additional checks and better results
strengthTester.addCommonPasswords(taiPasswordStrength.commonPasswords);
strengthTester.addTrigraphMap(taiPasswordStrength.trigraphs);
var betterResults = strengthTester.check("abcd1234");

if (betterResults.strengthCode.indexOf('WEAK') >= 0) {
    throw new Error("Your password is too weak");
}