Entropy Based Password Strength Meter

Menu

Home Page (this)
Demo
Demo with debug output
Sourceforge Project Page
Download the code

Description

This small project is password strength meter for web pages written in javascript and html. The password strength is based on the entropy of the character sets used.

This project was inspired by a Randall Munroe xkcd cartoon at http://xkcd.com/936/.

How it works

First it determines the "base" number. The base is a sum of the character sets used in the password. There are 26 lowercase letters, 26 uppercase, 10 digits, and 33 special characters. If you use at least one character from each set your base number will be 95: 26+26+10+33=95. If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10=36.

The strength, or entropy, of a one character password will be equal to the base number. For example, a single lowercase letter could be one of 26 possible letters. the strength of a two character password is equal to base x base, or base^2 (base to the power of 2). A letter and number would have 36*36 possible combinations. A three character password would have base^3 possible combinations.

Since the strength rises exponentially with each additional character, it's much more convenient to use the exponent of the total strength as the "strength" rather than a huge number. So I convert the total entropy to scientific notation format and grab just the exponent. For example, a 5-digit password consisting of lowercase letters and digits has an entropy of (26 + 10) ^ 5 = 60,466,176, or approximately 6e+7. I count the strength of this password as 7, the exponent.

To avoid some of the really stupid easy passwords like aaaaaaaaaaaaa, or 123123123, I modify the length of the password to include no more than 2 duplicate characters. So the password beeblebrox would only count as a length of 8 instead of 10 because I drop the third b and e.

You can see this in action in the demo with debug output turned on.

References

The Password Meter - an application designed to assess the strength of password strings.

Javascript Password Strength Meter - a quick and dirty educational tool.

zxcvbn - realistic password strength estimation.

How big is your haystack? - GRC's Interactive Brute Force Password “Search Space” Calculator