Password strength meters are a great way to visually indicate to the users if their password is acceptable. Implementing one from scratch is no easy feat. Fortunately, dropbox has developed an open source library just for this purpose called zxcvbn. It’s multi-platform and easy to use. In this short article we’ll go over setting up the library and estimating password strength with zxcvbn.
There are many different password strength meters out there. You’ve probably seen quite a few when trying to register for different services. Try using the same password on a few different registration forms, you’ll notice that you’re getting different results. Obviously, they’re all using different password scoring algorithms. Which brings us to a question…
What’s a good password?
The answer is actually very simple. A good password is the one that’s hard for a computer to crack 🙂 There’s a famous comic by xkcd that illustrates this point perfectly:
source: xkcd.com
They make a very good point. Long passwords are hard for computers to crack. This is what makes zxcvbn different. zxcvbn will give you a password estimate by doing dictionary and frequency analyses (among other things) against the input. This is a topic on its own and we could write a whole post on it. If you’re interested in learning more, I would recommend this great article by Dan Wheeler the author of zxcvbn.
Funny note: ‘zxcvbn’ is the bottom row on a standard US keyboard.
Let’s implement this library in a demo project…
If you go on their GitHub repo, you won’t find any installation instructions. Never the less, the library is available on cocoapods. So installing it is pretty trivial. Just add it to your podfile:
We’re going to build a very simple UI for our example. zxcvbn has a built-in view for displaying your password strength, so we’ll be using it. Our UI will look like this:
The view to the right of the password text field is the custom view that we’re getting with zxcvbn. Don’t forget to set the custom class on it:
If you’re not happy with how the built-in view looks like, you can easily build your own. The library will provide you with a results object from which you can extract all the data you need to implement a custom strength meter view.
zxcvbn has a cool feature. It will allow you to provide a custom penalisation list. For example, if you’re filling out a registration form and one of the fields is your first name, you can add this value to the penalisation list. So, if your password contains your first name, it will be penalised. It’s definitely an effective way of making your users choose better passwords… That explains why we have the ‘First Name’ and ‘Last Name’ fields in our example 🙂
Next, we’ll implement the delegate callback for the text field:
First we get the password and a list of penalised words. Then we simply call a function on the passwords strength meter and it magically does the rest. You can get some more info about the strength of the password. One interesting property is the estimated time to crack the password. Obviously, you get the score of the password; it’s an int from 0 to 4. If you want, you could check this score and not allow the user to register if the score is below a minimum value of your choosing.
Here’s how our form looks like:
The password field is intentionally left unmasked, so you can see what’s going on. In the form above we’re using four words as our password and we’re getting a good score of 3 out of 4 for the strength. The estimated crack time is also acceptable. What happens if the first name is a part of the password:
The score is still 3 out of 4, but take a look at the crack time. And lastly, what if you used both, first and the last name in the password:
As you can see, it would take an estimated 37 minutes to crack this password.
It’s important for your users to choose a good password and a library like this one can really help you out. If you try to develop your custom solution for estimating the password strength it might take you a lot more time than you think.
zxcvbn is a great library that has been ported to many other languages. This is an added benefit of it. You could easily have all your mobile platforms and your web platform running the same password validation algorithms.
If you want to learn more about the library and how it works you can read this great article by the author of the library Dan Wheeler. You can check out the example project on GitLab as well as all the code snippets from the article.
I hope you’ve discovered something new and fun to play with today 🙂 As usual…
Have a nice day 🙂
~D;
More resources
- zxcvbn
- zxcvbn-ios
- Cocoapods: zxcvbn
- zxcvbn: realistic password strength estimation
- xkcd.com
- ATPasswordMeter
- Code Snippets
