How to Make a Password Strength Meter Like Google v2.0
Posted on July 16, 2007, under Code Snippets, Development, How To, Security, Web Design.
Previously, in Part 1 of How to Make a Password Strength Meter Like Google I went over the basics on how to get a password strength meter up and running on your site. I got a lot of feedback on this article, mostly commenting on needing a better algorithm to determine if a password is secure or not. The algorithm I implemented in part 1 was mostly just for show. I did not further build out the algorithm because I wanted to leave it up the end user to determine what they considered a secure password or not. Furthermore, I did not want to make a scenario where a flaw in my code would be present in any sites out there that implement this.
After further research in the area of secure passwords, I am further building out the original code base to better determine a secure password from an insecure password. Here are the parameters used for measuring a secure password in version 2.0:
Password Length:
5 Points: Less than 4 characters
10 Points: 5 to 7 characters
25 Points: 8 or more
Letters:
0 Points: No letters
10 Points: Letters are all lower case
20 Points: Letters are upper case and lower case
Numbers:
0 Points: No numbers
10 Points: 1 number
20 Points: 3 or more numbers
Characters:
0 Points: No characters
10 Points: 1 character
25 Points: More than 1 character
Bonus:
2 Points: Letters and numbers
3 Points: Letters, numbers, and characters
5 Points: Mixed case letters, numbers, and characters
Password strength is measure by the percent of the above:
>= 90: Very Secure
>= 80: Secure
>= 70: Very Strong
>= 60: Strong
>= 50: Average
>= 25: Weak
>= 0: Very Weak
Implementation of the code should be the same as version 1.0. The next version will have the ability to blacklist common dictionary words. Hope this works out better than version 1.0.
Code: Version 2.0
20 Replies to "How to Make a Password Strength Meter Like Google v2.0"
Script Artists | Password Strength Meter per JS on July 18, 2007
[...] Version 2 des Artikel befasst sich sicheren Passwörtern. « Links für EntwicklerDrag and Drop [...]
Ian on July 18, 2007
Interesting article. Just a suggestion though:
I’d be inclined to use a regex to do the character counts; not sure if it will make a real difference, but it would be faster, in worst case, than the for loop in countContain().
Something like:
var nUpperCount = strPassword.replace(/[^A-Z]/g, ”).length;
var nLowerCount = strPassword.replace(/[^a-z]/g, ”).length;
var nLowerUpperCount = nUpperCount + nLowerCount;
var nNumberCount = strPassword.replace(/[^0-9]/g, ”).length;
var nCharacterCount = strPassword.replace(/[^!@#$%^&*?_~]/g, ”).length;
Matthew R. Miller on July 18, 2007
Good call… I can implement that here. My only concern is for those that might not have a good regex knowledge and want to make changes to the character strings and stuff. But good contribution!
WTL on July 18, 2007
Much, much better!
I’d change the colours of your comments though - the name/times are barely legible.
Ole on July 19, 2007
Two ifs that I felt were missing from the code in version 2.0 just for the looks and not any functionality. Saying that the empty field has a score of 5 and is weak just looks off;)
if(strPassword.length == 0){
nScore = 0;
} else if… in “checkPassword”
and
if(nScore == 0){
ctrlText.innerHTML = “”;
} in “runPassword”
Christ on July 19, 2007
To be more accurate
FUNCTIOn checkPassword()
line 96
replace
if (nNumberCount == 1)
by
if (nNumberCount >= 1)
Before one number had 10points but 2 had 0
Do the change and 1 or two 2 number will have 10 points
Christ on July 19, 2007
I forgot to say thank you to the author .. that is a nice little feature
John Williams on July 19, 2007
I think the score should be proportional to the password length, e.g.
// Password length
if (strPassword.length 4 && strPassword.length 7)
{
nScore += (strPassword.length * 3) + 1;
}
This gives similar scores to the original but with the advantage that the score increases as you add characters, and increases by proportionally more once you get to > 8 characters
John Williams on July 19, 2007
Sorry my algorithm got chopped in my previous submission, I meant to say:
if (strPassword.length 4 && strPassword.length 7) {
nScore += (strPassword.length * 3) + 1;
}
John Williams on July 19, 2007
Well my algorithm got chopped again - I apologise and leave it as an exercise for the reader! Maybe Safari Beta 3.0 is playing up?
Marli on July 21, 2007
There’s a minor bug on line 167 of the version I downloaded:
vstrColor = “#7ff67c”;
should probably read
var strColor = “#7ff67c”;
so the colour for “secure” changes properly.
Otherwise, nice job 
Darknet on July 26, 2007
This is better :)The previous one was pretty weak.
Perhaps add a common passwords check in too.
Use 20 or so of the most common.
password
changeme
letmein
god
aaaaaaa
12345
abcdef
And so on
James JOhnson on August 2, 2007
What’s the license for this code? I found http://www.geekwisdom.com/dyn/passwdmeter to be under a MIT license and no license for http://www.intelligent-web.co.uk.
Matthew R. Miller on August 2, 2007
Do what you want with the code, (commercial / non-commercial) a mention and link would be appreciated but not required.
Luke on August 3, 2007
Much better! Really well done!
Mark on August 6, 2007
I’m trying to modify the code so it checks the password that is input, cross-references the algorithm’s complexity requirements, and returns “Suggestions” for the password to make it better.
eg: “Please add (1) more character”, “Please use upper case and lower case letters”, “Please use at least (1) number”.
I have it partially working, but the Score and % keep disappearing.
Would anyone like to work on this to make this password strength meter even better than it is now?
Kevin Morrison on August 22, 2007
Haven’t had the time to go through the script, but wanted to find out if it’s performing input validation checking to ensure XSS attacks are not possible using the password field? Thanks - this is coming along quite nicely.
Tachy on November 3, 2007
Modified code 2.0 ! Check it out:
———————
var m_strUpperCase = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
var m_strLowerCase = “abcdefghijklmnopqrstuvwxyz”;
var m_strNumber = “0123456789″;
// Runs password through check and then updates GUI
function runPassword(strPassword, strFieldID)
{
// Check password
var nScore = 0;
nScore += countDifferent(strPassword)/strPassword.length*100*(strPassword.length/10);
var nUpperCount = checkContain(strPassword, m_strUpperCase);
var nLowerCount = checkContain(strPassword, m_strLowerCase);
var nNumberCount = checkContain(strPassword, m_strNumber);
var hinweis=0;
// nur Zahlen
if (nUpperCount == 0 && nLowerCount == 0 && nNumberCount != 0) {
nScore = nScore * 0.4;
hinweis=2;
} else if (nUpperCount != 0 && nLowerCount == 0 && nNumberCount == 0) {
nScore = nScore * 0.7;
hinweis=1;
} else if (nUpperCount == 0 && nLowerCount != 0 && nNumberCount == 0) {
nScore = nScore * 0.7;
hinweis=1;
} else if (nUpperCount != 0 && nLowerCount == 0 && nNumberCount != 0) {
nScore = nScore * 0.9;
} else if (nUpperCount == 0 && nLowerCount != 0 && nNumberCount != 0) {
nScore = nScore * 0.9;
}
var shuffling=getShuffling(strPassword);
if ( shuffling = 100)
{
var strText = “very secure”;
var strColor = “#0ca908″;
}
else if (nScore >= 80)
{
var strText = “secure”;
var strColor = “#0ca908″;
}
// — Average
else if (nScore >= 50)
{
var strText = “good”;
var strColor = “#5a74e3″;
}
// — Weak
else
{
var strText = “bad”
if ( strPassword.length ” + strText + “”;
}
function countDifferent(strPassword)
{
var nCount = new Object();
for (i = 0; i 0 ) {
if ( Math.abs(lastcode-charcode) > 1 ) {
shuffling++;
}
}
lastcode=charcode;
}
return shuffling;
}
function checkContain(strPassword, strCheck)
{
for (i = 0; i -1)
{
return 1;
}
}
return 0;
}
John on July 17, 2007
Now we’re talking! Good job.