estimation library. Use it to implement a custom strength bar on a
signup form near you!
zxcvbn attempts to give sound password advice through pattern matching
and conservative entropy calculations. It finds 10k common passwords,
common American names and surnames, common English words, and common
patterns like dates, repeats (aaa), sequences (abcd), and QWERTY
For full motivation, see:
is the best way to add
zxcvbn to your site. Host
zxcvbn-async.js somewhere on your web server, and make the hardcoded
zxcvbn-async.js point to
zxcvbn.js. A relative path works
zxcvbn-async.js is a tiny 350 bytes. On
window.load, after your page
loads and renders, it'll fetch
zxcvbn.js, which is more like 700k (330k
gzipped), most of which is a series of dictionaries.
I haven't found 700k to be too large -- especially because a password isn't the first thing a user typically enters on a registration form.
zxcvbn.js can also be included directly:
But this isn't recommended, as the 700k download will block your initial page load.
zxcvbn adds a single function to the global namespace:
It takes one required argument, a password, and returns a result object. The result includes a few properties:
resultentropy # bitsresultcrack_time # estimation of actual crack time, in seconds.resultcrack_time_display # same crack time, as a friendlier string:# "instant", "6 minutes", "centuries", etc.resultscore # [0,1,2,3,4] if crack time is less than# [10**2, 10**4, 10**6, 10**8, Infinity].# (useful for implementing a strength bar.)resultmatch_sequence # the list of patterns that zxcvbn based the# entropy calculation on.resultcalculation_time # how long it took to calculate an answer,# in milliseconds. usually only a few ms.
user_inputs argument is an array of strings that
will add to its internal dictionary. This can be whatever list of
strings you like, but is meant for user inputs from other fields of the
form, like name and email. That way a password that includes the user's
personal info can be heavily penalized. This list is also good for
zxcvbn loads (after the async script fetch is complete), it'll
check if a function named
zxcvbn_load_hook is defined, and run it with
no arguments if so. Most sites shouldn't need this.
Bug reports and pull requests welcome!
zxcvbn is written in CoffeeScript and Python.
zxcvbn.js is built with
For development, include these scripts instead of
Data lives in the first two scripts. These get produced by:
init.coffee make up the rest of the
init.js needs to come last, otherwise script order doesn't matter.
I recommend setting up coffee-mode in emacs, or whatever equivalent, so
that CoffeeScript compiles to js on save. Otherwise you'll need to
Dropbox, thank you in so many ways, but in particular, for supporting independent projects both inside and outside of hackweek.
Many thanks to Mark Burnett for releasing his 10k top passwords list:
and for his 2006 book, "Perfect Passwords: Selection, Protection, Authentication"
Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists
Last but not least, big thanks to xkcd :) https://xkcd.com/936/