OWASP Password Strength Test
owasp-password-strength-test
is a password-strength tester based off of the
OWASP Guidelines for enforcing secure passwords. It is
lightweight, extensible, has no dependencies, and can be used on the server
(nodejs) or in-browser.
owasp-password-strength-test
is not an OWASP project - it is simply based off
of OWASP research.
Installing
Server-side (nodejs)
From the command line:
npm install owasp-password-strength-test
In-browser
Within your document:
<script src='owasp-password-strength-test.js'></script>
Features
This module is built upon the following beliefs:
-
Passphrases are better than passwords.
-
Passwords should be subject to stricter complexity requirements than
passphrases.
Thus, the module:
-
provides for "required" and "optional" tests. In order to be considered
"strong", a password must pass all required tests, as well as a
configurable number of optional tests. This makes it possible to always
enforce certain rules (like minimum password length), while giving users
flexibility to honor only some of a pool of lower-priority rules.
-
encourages the use of passphrases over passwords. Passphrases (by
default) are not subject to the same complexity requirements as a password.
(Whereby, by default, a "passphrase" can be defined as "a password whose
length is greater than or equal to 20 characters.")
-
can be arbitrarily extended as-needed with additional required and
optional tests.
Usage
After you've included it into your project, using the module is
straightforward:
Server-side
var owasp = require('owasp-password-strength-test');
var result = owasp.test('correct horse battery staple');
In-browser
var result = owaspPasswordStrenghTest.test('correct horse battery staple');
The returned value will take this shape when the password is valid:
{
errors : [],
isPassphrase : false,
strong : true,
optionalTestsPassed : 4
}
... and will take this shape when the password is invalid:
{
errors: [
'The password must be at least 10 characters long.',
'The password must contain at least one uppercase letter.',
'The password must contain at least one number.',
'The password must contain at least one special character.'
],
isPassphrase : false,
strong : false,
optionalTestsPassed : 1
}
Whereby:
-
errors
is an array
of string
s of error messages associated with the
failed tests.
-
isPassphrase
is a boolean
indicating whether or not the password was
considered to be a passphrase.
-
strong
is a boolean
indicating whether or not the user's password
satisfied the strength requirements.
-
optionalTestsPassed
is a number
indicating how many of the optional tests
were passed. In order for the password to be considered "strong", it (by
default) must either be a passphrase, or must pass a number of optional tests
that is equal to or greater than configs.minOptionalTestsToPass
.
Configuring
The module may be configured as follows:
var owasp = require('owasp-password-strength-test');
owasp.config({
allowPassphrases : true,
maxLength : 128,
minLength : 10,
minPhraseLength : 20,
minOptionalTestsToPass : 4,
});
Whereby:
-
allowPassphrases
is a boolean
that toggles the "passphrase" mechanism on
and off. If set to false
, the strength-checker will abandon the notion of
"passphrases", and will subject all passwords to the same complexity
requirements.
-
maxLength
is a constraint on a password's maximum length.
-
minLength
is a constraint on a password's minimum length.
-
minPhraseLength
is the minimum length a password needs to achieve in order
to be considered a "passphrase" (and thus exempted from the optional
complexity tests by default).
-
minOptionalTestsToPass
is the minimum number of optional tests that a
password must pass in order to be considered "strong". By default (per the
OWASP guidelines), four optional complexity tests are made, and a password
must pass at least three of them in order to be considered "strong".
Extending
If you would like to filter passwords through additional tests beyond the
default, you may simply push new tests onto the appropriate arrays within the
module's test
object:
var owasp = require('owasp-password-strength-test');
owasp.tests.required.push(function(password) {
if (password === 'one two three four five') {
return "That's the kind of thing an idiot would have on his luggage!";
}
});
Test functions must resemble the following:
function(password) {
if (thePasswordIsBad) {
return "This is the failure message associated with the test";
}
}
Testing
To run the module's test suite, cd
into its directory and run grunt
. You
may first need to run npm install
to install the required development
dependencies. (These dependencies are not required in a production
environment, and facilitate only unit testing.)
Contributing
If you would like to contribute code, please fork this repository, make your
changes, and then submit a pull-request.