Password Score – Password Strength Estimation using Javascript

Password Score is a javascript library designed to give a realistic estimation of the strength of a password. This article will give a short motivation of the library.

Password Score is designed to give a realisitc estimation of the strength of a password. When speaking of strength we need an appropriate measure. A common measure for this purpose is based on information theory and called entropy. We will define the entropy of a password as follows: when $N$ is the number of guesses needed to crack a password with certainty the entropy is given by the base-2 logarithm of $N$.

A naive approach of estimating the number of guesses needed is using a brute-force approach. Given a password $p$ we take $N := n^{|p|}$ where $|p|$ is the length of $p$ and $n$ is the number of possible characters. The brute-force approach simply tries all possible combinations of $|p|$ characters. But due to human nature assuming a password to be a random sequence of characters is far to idealisitc. Most of us tend to choose passwords made up of common words, names, special numbers - passwords which are easy to remember. So the naive approach highly overestimates the strength of a password.

Therefore every password cracking software uses dictionaries, lists of common passwords and names to give better performance. Password Score will search a given password for common words, passwords or names - or in general Password Score searches for patterns within the password. Other possible patterns are keyboard patterns like `qwerty` or sequences like `1234`. Instead of using random numbers we tend to use numbers which have a meaning like dates - birthdays or anniversaries of any kind.

The project can be found on GitHub and includes documentation and a simple demonstration page which can be found here. The project is not a visual strength meter as used in registration forms and modern web applications. The library simply gives an estimation of a password's strength measured in entropy and based on several data sources like dictionaries, common passwords or keyboads. Thus the library may be used to implement visual strength meters.

An example of a visual strength meter based on Password Score can be found on GitHub and is based on Twitter Bootstrap's progress bars - work still in progress.

Bootstrap Strength Meter on GitHubPassword Score on GitHub


The used data sources for dictionaries, password lists etc. can be found on GitHub

What is your opinion on this article? Let me know your thoughts on Twitter @davidstutz92 or LinkedIn in/davidstutz92.