dropbox / zxcvbn

is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats ( ), sequences ( ), keyboard patterns ( ), and l33t speak. Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}". • __More secure__: policies often fail both ways, allowing weak passwords ( ) and disallowing strong passwords. • __More flexible__: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle. • __More usable__: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords. For further detail and motivation, please refer to the USENIX Security '16 paper and presentation. At Dropbox we use zxcvbn (Release notes) on our web, desktop, iOS and Android clients. If JavaScript doesn't work for you, others have graciously ported the library to these languages: • (Python) • (C/C++/Python/JS) • (C/C++) • (Rust) • (Go) • (Java) • (Java) • (Ruby) • (Ruby [via ExecJS]) • (Objective-C) • (C#/.NET) • (Scala) • (PHP) • (REST) • (OCaml bindings for ) Integrations with other frameworks: • (AngularJS) Installation zxcvbn detects and supports CommonJS (node, browserify) and AMD (RequireJS). In the absence of those, it adds a single function to the global namespace. Bower Install and if you haven't already. Get : Add this script to your : To make sure it loaded properly, open in a browser and type into the console. To pull in updates and bug fixes: Node / npm / MeteorJS zxcvbn works identically on the server. RequireJS Add to your project (using bower, npm or direct download) and import as usual: Browserify / Webpack If you're using and have somewhere in your code, browserify and webpack should just work. But we recommend against bundling zxcvbn via tools like browserify and webpack, for three reasons: • Minified and gzipped, zxcvbn is still several hundred kilobytes. (Significantly grows bundle size.) • Most sites will only need zxcvbn on a few pages (registration, password reset). • Most sites won't need immediately upon page load; since is typically called in response to user events like filling in a password, there's ample time to fetch after initial html/css/js loads and renders. See the performance section below for tips on loading zxcvbn stand-alone. Tangentially, if you want to build your own standalone, consider tweaking the browserify pipeline used to generate : • adds an inline source map to the bundle. pulls it out into . • exports a global when CommonJS/AMD isn't detected. • compiles to before bundling. This is convenient as it allows modules to import from modules and vice-versa. Instead of this transform, one could also compile everything to first ( ) and point to instead of . • minifies the bundle through UglifyJS, maintaining proper source mapping. Manual installation Download zxcvbn.js. Add to your .html: Usage try zxcvbn interactively to see these docs in action. takes one required argument, a password, and returns a result object with several properties: user_inputs zxcvbn() zxcvbn.js zxcvbn.js zxcvbn() zxcvbn.js zxcvbn.js requirejs() async zxcvbn.js src dist/zxcvbn.js build watch dist/zxcvbn.js.map adjacency_graphs.coffee frequency_lists.coffee data-scripts data dist npm lib .js .js.map .coffee src prepublish package.json` to learn more. Acknowledgments Dropbox for supporting open source! Mark Burnett for releasing his 10M password corpus and for his 2005 book, Perfect Passwords: Selection, Protection, Authentication. Wiktionary contributors for building a frequency list of English words as used in television and movies. Researchers at Concordia University for studying password estimation rigorously and recommending zxcvbn. And xkcd for the inspiration :+1::horse::battery::heart: