Password strength meters are becoming more and more popular amongst web services. Google uses one when creating a Google account. One can argue how useful these meters really are, but non-the-less they are fairly cool for users. So how does one go about making one of these meters? Well it’s fairly straight forward.
The basic break down is we add an event handler on your password field that will check the password for every key input the user types. This allows for an updated meter as the user types the password. When you get into the algorithm that actually checks how secure a password is, there are many routes you can go. When researching for this project, I chose to base my code off of the kind folks over at Intelligent Web. There theory is to calculate how many different combinations there are for the password you enter, then determine how many days it would take to crack your password. The algorithm returns a percentage that we then in turn convert to a nice GUI for the end user to see. So let’s take a look at the code:
The JavaScript is fairly straight forward. There are settings at the top for different checks to enable or disable. Here is the JavaScript:
[ftf]
// Password strength meter v1.0
// Matthew R. Miller – 2007
// www.codeandcoffee.com
// Based off of code from http://www.intelligent-web.co.uk
// Settings
// — Toggle to true or false, if you want to change what is checked in the password
var bCheckNumbers = true;
var bCheckUpperCase = true;
var bCheckLowerCase = true;
var bCheckPunctuation = true;
var nPasswordLifetime = 365;
// Check password
function checkPassword(strPassword)
{
// Reset combination count
nCombinations = 0;
// Check numbers
if (bCheckNumbers)
{
strCheck = “0123456789″;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check upper case
if (bCheckUpperCase)
{
strCheck = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check lower case
if (bCheckLowerCase)
{
strCheck = “abcdefghijklmnopqrstuvwxyz”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check punctuation
if (bCheckPunctuation)
{
strCheck = “;:-_=+\|//?^&!.@$£#*()%~<>{}[]“;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Calculate
// — 500 tries per second => minutes
var nDays = ((Math.pow(nCombinations, strPassword.length) / 500) / 2) / 86400;
// Number of days out of password lifetime setting
var nPerc = nDays / nPasswordLifetime;
return nPerc;
}
// Runs password through check and then updates GUI
function runPassword(strPassword, strFieldID)
{
// Check password
nPerc = checkPassword(strPassword);
// Get controls
var ctlBar = document.getElementById(strFieldID + “_bar”);
var ctlText = document.getElementById(strFieldID + “_text”);
if (!ctlBar || !ctlText)
return;
// Set new width
var nRound = Math.round(nPerc * 100);
if (nRound < (strPassword.length * 5))
{
nRound += strPassword.length * 5;
}
if (nRound > 100)
nRound = 100;
ctlBar.style.width = nRound + “%”;
// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
ctlBar.style.backgroundColor = strColor;
ctlText.innerHTML = “” + strText + ““;
}
// Checks a string for a list of characters
function doesContain(strPassword, strCheck)
{
nCount = 0;
for (i = 0; i < strPassword.length; i++)
{
if (strCheck.indexOf(strPassword.charAt(i)) > -1)
{
nCount++;
}
}
return nCount;
}
[/ftf]
On the HTML side, I have setup a simple form to display the interaction the user will receive.
[ftf]
[/ftf]
The magic lies inside the event handler I spoke about above. The “onkeyup” event passes the current password, and the ID for this input item. The ID is used to reference the below div tags that show the strength meter and text. The ID allows for you to have more than one password meter per form, per page.
[ftf]
[/ftf]The algorithm can be enhanced if you wish to get more complicated with the strength checking. One can also adjust the colors and text for the various strength levels displayed to the user.[ftf]
// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
[/ftf]
Further features could be displaying when a user has not entered a valid password, for example not a long enough length.
Here is a demo of the above code, and download links so you can implement this into your sign up pages. Enjoy!
Right Click to Download:
Very nice post, really, go on!
Nice article. I can see a lot of uses for this.
However, I think I’m going to have to look for another algorithm.
The password “password” shows as “very secure”
it seems that the level of security is measured only by the size of the password. dictionary words long enough evaluate to “very secure”…
WOW! This is awesome. Thank you very much for sharing this kind of quality content with the rest of us.
I’m planning on implementing this within the next little while, and if I can contribute any improvements (perhaps to the GUI), I will let you know.
Man, please keep it coming.
WebGyver
http://www.webgyver.info
====================================
Tools and Resources for Successful Web Design,
Web Development, Web Applications and
Web Business Marketing
you call a password called “password” secure? this needs to use a common password filter.
Cool idea but lame results. The javascript is there to check for alpha, numeric, upper, lower and punctuation in a password but it obviously doesn’t actually check for those elements. Just password length.
As stated above, this a proof of concept. I will work on making the algorithm better here in the near future.
The algorithm is the heart of script. Without a good one, the whole program is useless.
kid,
That’s not entirely true.. this is a proof of concept… it is not meant to be a drop in solution.
Haha, the password “password” turns out to be “very secure”. Try harder next time.
I’m always a little sceptical of sites that “look” at my passwords. I know my password is good. What I don’t know is if a site is storing it in plain text or otherwise exposing it to the outside world. If I see something like this I’m not going to enter my good password (I memorize about one strong password at a time and use it for sensitive systems. I don’t have room in my noggin for more than one and writing passwords down is the fastest way to have a password burned) so I’ll enter an easy to remember (and crack) password.
But that’s just me an I’m a humungus nerd. For those less well endowed in the geek department, I’m sure these meters make them feal better.
Cool idea. Don’t listen to party pooper. I’m sure you can implement a better algorithm in an evening.
Good idea, needs to check the password against dictionary etc. Once you do that you’ll want to implement the check server-side, as otherwise your Javascript will get too big.
Surely “password” shouldn’t be categorised as “Very Secure”
Surely “password” shouldn’t be categorised as “Very Secure”, sorry submitted to early. However – a list of completely banned words can simply be added to check against, but obviously checking this list could become long, something clever with a better bigO search profile would be quite cute.
However the basics in the demo will be very useful as a starting block to make a gorgeous addition to any interface where setting up a user and password is needed, I’m also considering adding it to a letter counter in an app that has users entering free text so they know when they’re approaching the limit of the paper the form will eventually be printed on.
There is a new version available at: http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/
just add a combination of alphabets and numbers it it becomes ‘very secure’!!
Excellent and informative blog post but the results need a bit more work. By the measure of this strength checker my password: “11111111111111″ is just as strong as “3rc$£$342c82@” which is not true. A proper checker would have to look at things like dictionary words and repetition / simple patterns.
Is this a joke, or are you retarded?
I just used password in as the password and it told me it was very secure….problem?
How good can it be if the password “password” scores “very secure?”
great..maybe I should try one…:)
Even “aaaaaaaaa” scores as secure.
Ugh, the way you don’t indent your code makes me want to puke.
The algorithm sucks imho.
All this does is lure users into a false sense of security. “12345678901″ is classified as “Very Secure”.
You have to take ALL variables into account, not just one..
Well it’s been said 30 times already but the algorithm is horrible, though the javascript is cool if given the right security measures.
“1111111111″ and “password” are not very secure in any environment.
I’d love to see a rework of the php though…
Google uses a Dictionary along with checking all the above (uppercase & lowercase, numbers, etc…) for validating password strength.
Unfortunately the demo rated the password “changeme” as “very secure”. It’s a fun article, but as others have pointed out, it might be good to point out the heuristics involved.
A password of “aaaaaaaaaaaaaaaaaa” gives a result of very secure, wouldn’t it be better to measure the entropy of a password through chi square analysis etc.?
Well, how simple is it to brute force “aaaaaaaaaaaaaaaaaa” if the passwords are stored with a salt and sha256? A simple check to see if all the chars are the same could be usefull to stop the most emo users from doing this.
A requirement for “very secure” could be char, number and special char in the password
E.g. “.aSSw0rp” would be a way better password then “password” and not that much harder to remember even for grandma
This is gay, i put in “howsthis” and it said it was very secure? wtf…
There is a version 2.0 of this script that has a better way of rating implemented. http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/
Maybe it would be better to set it like
that on line 64:
if (strPassword.length 0)
It’s useless!
I typed “ddddddd”,it display “Very Secure”,do you think the “dddddddd” password is secure?
NO!
So it’s no use at all,and may mislead the user.
it’s very helpfull i need it in my app
Thanx
poor script. attaching an arbitrary rating depending on the amount of numbers or letters is a bad way of determining password strength. as others have posted, under this system “password” is a very secure password. As is “11111111111″.
This script could be improved greatly by checking that the string does not include repeated characters and putting in an AJAX call that runs a cross-check against a dictionary to weed out real words.
But, as others have said, the script provides a base at least for others to build upon, so kudos for that.
Comments closed as there is a new version available at:
http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/