Password Analyser

Degradable javascript based password analysis tool to inform a user in real time of their password strength.

Download javascipt: password-analyser.js

Note the input box is plain text - your text will appear for everyone to see!

Password:

How to implement

After you’ve included the two script directives for prototype.js and password-analyser.js, just assign a class name of password-analyser to your form element thus:

<input type="text" name="password" id="password" class=”password-analyser” />

This allows you to apply the password analyser system to multiple form text elements in each page.

Inspiration

The idea behind this system is to give the user real-time feedback on the guessability of their password. Inspired by an article at lockdown.co.uk, this script calculates the potential number of possible permutations of a password and works out how long it would take to guess the password using brute force attempts at 1 billion passwords per second.

So if your password only contains lowercase characters (character set of 26) and is 7 characters long, your password would be guessable in 8 seconds.

Why 1 billion? You’d need a couple of machines at least to get this type of capability, but that will change in the very near future. Also, if passwords are guessed by trying all permutations of a particular set of characters, then the likelihood is the password will be found before the end of the list is reached. On average, the estimated time can be halved.

BETA?

Well, I whipped this up fairly quickly. It works and works well (I think) but some things I’d change:

  • Turn into a class. I’d like to take the global variable passwordanalyserresultstring (nice name spacing!) and put it as a member variable that can be updated from outside through a member method to cater for I18N.
  • Currently it sets the window.onload to a custom function. This means it will overwrite any onload=”" part of the body tag and could even get overwritten by another script and not load at all. I’ll fix then when the need arises I guess.
  • Consider the inclusion of all possible permutations of passwords with the same character set with lengths less than the current password. I.E. The pool of password permutations is not that of 8 letter passwords, but of 8, 7, 6, 5, 4, 3, 2 and 1 letter passwords combined.

Any comments, patches, bug reports or feature requests, please reply to the blog post.

Security Information

This form is disabled at javascript level and submits over SSL to localhost by POST request if javascript is not turned on. This means anything you manage to submit won’t go very far, especially if you don’t run a web server on your own machine.