Fork me on GitHub

Project Notes

Password Strength Testers

Checking out various Javascript-based password strength testers and trying to find one that best implements latest NIST guidelines.

Notes

The NIST Digital Identity Guidelines are generally considered the gold standard and are widely adopted. Passwords are covered in NIST 800-63B 5.1.1.2 Memorized Secret Verifiers. Here’s a brief summary of the relevant recommendations:

  • memorized secrets to be at least 8 characters in length
  • permit memorized secrets to be at least 64 characters in length
  • SHALL NOT permit the subscriber to store a password “hint”
  • SHOULD NOT impose other composition rules (e.g. requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
  • SHALL reject prospective memorized secrets that are matched in:
    • Passwords obtained from previous breach corpuses.
    • Dictionary words.
    • Repetitive or sequential characters (e.g. “aaaaaa”, “1234abcd”).
    • Context-specific words, such as the name of the service, the username, and derivatives thereof.
  • Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter
  • SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account
  • SHOULD permit claimants to use “paste” functionality when entering a memorized secret
  • SHOULD offer an option to display the secret being entered

These items all relate to the authentication user experience, and the notes that follow are a quick examination of available Javascript libraries, with the specific intent of finding those that do a good job of representing the latest NIST recommendations.

Results so far:

Evaluating Available Libraries

Certainly not exhaustive, but here’s a quick look at some libraries, taken from 10 Best Password Strength Checkers In JavaScript and other web searches.

jquery.pwstrength.bootstrap

The jquery.pwstrength.bootstrap integrates very easily with Boostrap 2/3/4. It provides an entropy check, and configuration options to support some other NIST guidelines. For example:

  • common options:
    • minChar: minimum required of characters for a password to not be considered too weak
    • maxChar: maximum allowed characters for a password
    • invalidCharsRegExp: A regular expression object to use to test for banned characters in the password.
    • usernameField: The username field to match a password to, to ensure the user does not use the same value for their password
    • specialCharClass: This is the regular expression class used to match special chars whitin the rules engine.
    • commonPasswords: A list of the most common passwords. If the user inputs a password present in the list, then it gets heavily penalized
  • available rules to enable/disable:
    • wordNotEmail
    • wordMinLength
    • wordMaxLength
    • wordInvalidChar
    • wordSimilarToUsername
    • wordSequences
    • wordTwoCharacterClasses
    • wordRepetitions
    • wordLowercase
    • wordUppercase
    • wordOneNumber
    • wordThreeNumbers
    • wordOneSpecialChar
    • wordTwoSpecialChar
    • wordUpperLowerCombo
    • wordLetterNumberCombo
    • wordLetterNumberCharCombo

jquery.pwstrength.bootstrap

password_strength

The password_strength library has a few problems:

  • designed as a JQuery Widget which is nice, but this makes it quite difficult to add to existing forms/fields (probably the main developer use-case)
  • provides entropy check/feedback
  • also provides other password checks (length, permitted characters), however these don’t follow NIST guidelines and are not configurable

password_strength

PWStrength

The PWStrength is very minimal - it is more a basic example framework that can be extended than a full solution. Limitations:

  • not designed to be nicely namespaced and cleanly integrated into client-side code
  • does not provide entropy check/feedback
  • default password checks (length, permitted characters) don’t follow NIST guidelines precisely

PWStrength

Enzoic

Enzoic Password Strength Meter is a free-to-use but branded Javascript library for checking password strength but also verify that the password has not been publicly exposed.

Enzoic also provide services for server-side integration for comprehensive account protection.

enzoic

Note: this does NOT mean all the passwords are getting sent over to Enzoic. That would be a very inappropriate trust relationship. As can be seen here, only partial SHA256, SHA1 and MD5 hashes of the password are being entered:

enzoic_traffic

Other Services

  • haveibeenpwned API - can be used to check for password and account breaches/pwnage.
  • zxcvbn - “best known existing library for estimating password strength is zxcvbn by Dropbox”

Credits and References

About LCK#163 javascriptsecurity
Project Source on GitHub Return to the Project Catalog

This page is a web-friendly rendering of my project notes shared in the LittleCodingKata GitHub repository.

LittleCodingKata is my collection of programming exercises, research and code toys broadly spanning things that relate to programming and software development (languages, frameworks and tools).

These range from the trivial to the complex and serious. Many are inspired by existing work and I'll note credits and references where applicable. The focus is quite scattered, as I variously work on things new and important in the moment, or go back to revisit things from the past.

This is primarily a personal collection for my own edification and learning, but anyone who stumbles by is welcome to borrow, steal or reference the work here. And if you spot errors or issues I'd really appreciate some feedback - create an issue, send me an email or even send a pull-request.