A microservice wrapper around the zxcvbn password strength estimator.
The zxcvbn library from Dropbox is unmatched for estimating password strength because it:
However, it has a couple of (potential) drawbacks:
Therefore it might be ideal to run it in a remote web services in cases where you'd like to:
There are official ports for python and iOS, and unofficial attempts at ports for Java (zxcvbn-java, zxcvbn-gwt) and PHP (zxcvbn-php, php-zxcvbn), but none of them come close to having parity with the official JavaScript version (no doubt other ports also exist, likely plauged by the same problems).
While it does compile and run on JVM (with Rhino and Nashorn) the file size and/or runtime cost is prohibitively high.
Disadvantages of running zxcvbn
remotely:
zxcvbn
server, it could be logging your candidate passwords.Clone this repo, install dependencies (npm install
), run in the usual ways (node app.js
).
To use, send an HTTP POST to https://.../zxcvbn
.
Be sure to only host this service over SSL (or similarly secure channel). These are passwords being sent over the wire here; treat them with care.
Multiple input formats are supported:
Content-Type: text/password
Send the password to check in the body of the request.
Content-Type: application/x-www-form-urlencoded
Send the password to check in a field called password
(as in a usual form submission).
Content-Type: application/json
Send a JSON object with the password to check in a field called password
.
You'll recieve a response of type application/json
of the form:
{
"guesses": 273,
"guesses_log10": 2.436162647040756,
"calc_time": 16,
"crack_times_seconds": {
"online_throttling_100_per_hour": 9828,
"online_no_throttling_10_per_second": 2.73,
"offline_slow_hashing_1e4_per_second": 0.0273,
"offline_fast_hashing_1e10_per_second": 2.73e-8
},
"crack_times_display": {
"online_throttling_100_per_hour": "3 hours",
"online_no_throttling_10_per_second": "3 seconds",
"offline_slow_hashing_1e4_per_second": "less than a second",
"offline_fast_hashing_1e10_per_second": "less than a second"
},
"score": 0,
"feedback": {
"warning": "This is a very common password",
"suggestions": [
"Add another word or two. Uncommon words are better."
]
}
}
The response differs slightly from the result object documented at dropbox/zxcvbn#usage.
The field sequence
is stripped as it is quite verbose and probably not very useful for the purposes of this service. The undocumented field password
, which echoes back the supplied password, is stripped from the response.
zxcvbn-server
A public, free to use zxcvbn-server
is available at password.wtf. While this server does power production applications, it's provided to the public with no warranty, so use it at your own risk.