An entropy based password strength checker in a data URI
Sometime last month, around the time that some major breaches of user databases from some popular sites were making the news, I got to thinking about password strength. Fred Wenzel’s post about storing user passwords is a great read on the topic, and one little part struck me: for unsalted quick hashing algorithms, if the hash is leaked then even completely random alphanumeric passwords up to 10 characters long are readily crackable. I realized it was time to change my passwords as most of them, while not something a person could guess, were easily crackable if a hash were to be leaked in a user database breach. So next step was to come up with some good strong passwords. There are some sites out there that will test one for you, but if you’re paranoid like me then you’re obviously not going to type your actual password in there. I wanted something I could test locally and I was already aware of the basic theory of entropy with regard to passwords so I did a little more research and wrote my own little password checker. Sure, I could’ve probably hunted for an addon to do this, but I wanted something simple and it was a neat little project that sounded like fun to write. Gerv posted on the this exact topic today, so I thought I might as well post my little checker for those who want it.
Note that my checker has a few nice properties:
- Its strength assessment is based on calculated entropy, not purely whether or not you include upper and lower case characters, numbers, and/or symbols. Adding one of these cases adds to the possible characters available and increases the entropy, but the final number is based on this math and not whether or not you follow any particular practice. The end result is that it will correctly tell you that adding two characters to an alphanumeric password is better than adding case-sensitivity.
- It has a high standard; it will likely label passwords that might be considered good elsewhere as not good enough.
- It’s simple, local, and entirely contained in a data URI. This means you can read the code yourself very easily and verify it’s not going to send it anywhere.
But it has a few disadvantages too:
- It doesn’t check for common and easily guessable passwords or patterns. It’ll only give you a rating against a brute-force attack from a computer with no hints. Passwords are rarely truly random and people writing programs to crack them know this. The lessons of what stupid stuff to not put in your passwords are not addressed here.
- It doesn’t handle Unicode well. It could add new character categories for other languages’ alphabets and syllabaries, but for now if you have anything other then alpha-numeric-symbolic it will give you an overly optimistic strength rating. Also, it goes by each byte not each character, so a multi-byte character is counted as multiple characters.
- I’ve only tested it in Firefox thus far.
It’s not perfect, but as long as your password is alpha-numeric-symbolic and not easily guessable by someone it will give you a good analysis of password strength.
Note that you can bookmark the checker page directly, at which point the whole thing is stored in the bookmark itself. This is sometimes called a bookmarklet. I’ve re-encoded it with base64 and put it behind a TinyURL because WordPress can’t link to it as-is.
I decided I might as well put a license on my code so I went with MPL2 if anyone wants to use it.
For anyone who was wondering how to easily make data URIs, I recommend the The data: URI Kitchen. I used the nicely meta Self-contained data: URI Kitchen, which is itself contained in a data URI (but is text only).