An entropy based password strength checker in a data URI

Sometime last month, around the time that some major breaches of user databases from some popular sites were making the news, I got to thinking about password strength. Fred Wenzel’s post about storing user passwords is a great read on the topic, and one little part struck me: for unsalted quick hashing algorithms, if the hash is leaked then even completely random alphanumeric passwords up to 10 characters long are readily crackable. I realized it was time to change my passwords as most of them, while not something a person could guess, were easily crackable if a hash were to be leaked in a user database breach. So next step was to come up with some good strong passwords. There are some sites out there that will test one for you, but if you’re paranoid like me then you’re obviously not going to type your actual password in there. I wanted something I could test locally and I was already aware of the basic theory of entropy with regard to passwords so I did a little more research and wrote my own little password checker. Sure, I could’ve probably hunted for an addon to do this, but I wanted something simple and it was a neat little project that sounded like fun to write. Gerv posted on the this exact topic today, so I thought I might as well post my little checker for those who want it.

Note that my checker has a few nice properties:

  • Its strength assessment is based on calculated entropy, not purely whether or not you include upper and lower case characters, numbers, and/or symbols. Adding one of these cases adds to the possible characters available and increases the entropy, but the final number is based on this math and not whether or not you follow any particular practice. The end result is that it will correctly tell you that adding two characters to an alphanumeric password is better than adding case-sensitivity.
  • It has a high standard; it will likely label passwords that might be considered good elsewhere as not good enough.
  • It’s simple, local, and entirely contained in a data URI. This means you can read the code yourself very easily and verify it’s not going to send it anywhere.

But it has a few disadvantages too:

  • It doesn’t check for common and easily guessable passwords or patterns. It’ll only give you a rating against a brute-force attack from a computer with no hints. Passwords are rarely truly random and people writing programs to crack them know this. The lessons of what stupid stuff to not put in your passwords are not addressed here.
  • It doesn’t handle Unicode well. It could add new character categories for other languages’ alphabets and syllabaries, but for now if you have anything other then alpha-numeric-symbolic it will give you an overly optimistic strength rating. Also, it goes by each byte not each character, so a multi-byte character is counted as multiple characters.
  • I’ve only tested it in Firefox thus far.

It’s not perfect, but as long as your password is alpha-numeric-symbolic and not easily guessable by someone it will give you a good analysis of password strength.

Load my entropy based password checker (data URI)

Note that you can bookmark the checker page directly, at which point the whole thing is stored in the bookmark itself. This is sometimes called a bookmarklet. I’ve re-encoded it with base64 and put it behind a TinyURL because WordPress can’t link to it as-is.

I decided I might as well put a license on my code so I went with MPL2 if anyone wants to use it.

For anyone who was wondering how to easily make data URIs, I recommend the The data: URI Kitchen. I used the nicely meta Self-contained data: URI Kitchen, which is itself contained in a data URI (but is text only).

Advertisements

6 Comments

  1. Robert Janc

    Entered “Load my entropy based password checker (data URI)”. Page opened with a PW field and verbiage “This doesn’t check for stupid things….” but nothing else. Tried to put a PW in the box and hit return; nothing. No buttons to click. Using FF14b

    • There are no buttons to click. It should be giving you stats and a strength indicator in bold text next to the field as you type into it. I just tested in FF14b on Linux in a new profile and it’s working fine for me. Maybe you have some script blocking from an addon?

      • Robert Janc

        Just checked in safe-mode and all is good. Need to find what is blocking it. My first guess is NoScript.

        Thanks

        • Robert Janc

          Was NoScript. Now trying to sort through the dozens of setting to figure out which one(s)

          • NoScript breaks lots of things and is just plain overkill. I suggest just uninstalling it and using Adblock Plus with EasyList+EasyPrivacy instead.

          • Robert Janc

            I use ABP with Easylist and Easyprivacy. The problem with NoScript of late is that you can’t simply click for temporary acceptance. With regard to your data url I spent 20 minutes looking at the various settings and couldn’t get it to work without disabling.

            I’m relatively sophisticated; however, the NS options have become way too complicated.

            I’m waiting for an answer from the developer on why/how it kills the data url. After that I may just toss it for the reasons you mention.