hardpass

Lightweight password strength checker that enforces a strong password policy.

features

• >99% smaller than zxcvbn: just 2.0K gzipped, 4.8K minified, 8.7K uncompressed
• Feedback messages for weak passwords
• Familiar API
• Easy to (use with React)[https://github.com/akrawchyk/react-use-hardpass]

install

npm install hardpass --save
 
# or with yarn 
 
yarn add hardpass

usage

const hardpass = require('hardpass');
 
hardpass('qwerty123');
/*
{
  score: 0,
  feedback: {
    warning: 'Not complex enough',
    suggestions: [
      'Try adding at least 1 upper case character',
      'Try adding at least 1 special character',
      'Must be at least 10 characters long'
    ]
  }
}
*/
 
hardpass('Cm;cF*1f5L');
/*
{
  score: 4
}
*/

policy

Inspired by OWASP Proper Password Strenth Controls.

implemented

• Password length
  • at least 10 characters
  • at most 128 characters
• Password complexity
  • at least 3 of:
    • at least 1 uppercase character (A-Z)
    • at least 1 lowercase character (a-z)
    • at least 1 digit (0-9)
    • at least 1 special character (punctuation) — !"#$%&'()*+,-./:;<=>?@[\\\]^_\{|}~`
  • not more than 2 identical characters in a row (e.g., 111 not allowed)
• Password topologies
  • Ban commonly used password topologies
• Feedback messages

planned

• Configurable feedback messages
• Configurable password dictionaries

motivation

zxcvbn.js bundled and minified is about 400kB gzipped or 820kB uncompressed, most of which is dictionaries.^[link]

We can eliminate the majority of weak passwords by enforcing baseline recommended security policies for strong passwords.

We can prune common password dictionaries to reduce their footprint as well, and provide different configurations for file-size tradeoffs.

license

MIT © Andrew Krawchyk