Skip to content

zeezooz/zxcvbnm

BranchesTags

Repository files navigation

A password strength estimator inspired by password crackers. This is a Dart rewrite of zxcvbn-ts, which is a rewrite and further evolution of zxcvbn by Dropbox.

The goal is to match zxcvbn-ts in password evaluation. Although message translation and API may differ.

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 40k common passwords, common names surnames, popular words from Wikipedia and common word in different language from different countries, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

  • More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
  • More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
  • More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords.

For further detail and motivation, please refer to the USENIX Security '16 paper and presentation.

Features

  • Estimate strength of a password
  • Get a score for the password
  • Localization support for dictionaries and feedback translations
  • Extend existing dictionaries with your own
  • Usable without dictionaries at all, which reduce the scoring efficiency rapidly. This is not recommended
  • Custom matchers, including asynchronous ones

Usage

import 'package:zxcvbnm/languages/en.dart';
import 'package:zxcvbnm/zxcvbnm.dart';
...
final Zxcvbnm zxcvbnm = Zxcvbnm(dictionaries: dictionaries);
final Result result = zxcvbnm('password');
print('score: ${result.score}/4');

Dictionaries

Dictionaries contain easy-to-guess words to check a password for. By default, no dictionaries are used, which may allow some weak passwords, so it's recommended to specify some dictionaries. They are Sets, so you can combine them using the spread operator:

import 'package:zxcvbnm/languages/en.dart' as en;
import 'package:zxcvbnm/languages/es_es.dart' as es;
...
dictionaries: {
  ...en.dictionaries,
  if (localeName == 'es') ...es.dictionaries,
}

Included dictionaries

  • common - Diceware and the most often used passwords. These dictionaries are already included in the locale specific dictionaries, so you usually don't need to add them explicitly
  • ar - Arabic
  • cs - Czech
  • de - German
  • en - English
  • es_es - Spanish (Spain)
  • fi - Finnish
  • fr - French
  • id - Indonesian
  • it - Italian
  • ja - Japanese
  • nl_be - Dutch (Belgium)
  • pl - Polish
  • pt_br - Portuguese (Brazil)

Locale specific dictionaries usually contain the most often used words, the most common names, and the most often used words from Wikipedia.

Translation

The package uses intl to translate messages. You can use your own translation or override some messages by loading a translation with necessary keys. If you need to load more than 1 translation per locale, use intl_multiple_translations or a similar package.

Included languages

  • ar - Arabic
  • cs - Czech
  • de - German
  • en (default) - English
  • es - Spanish (Spain)
  • fi - Finnish
  • fr - French
  • id - Indonesian
  • it - Italian
  • ja - Japanese
  • nl - Dutch (Belgium)
  • pl - Polish
  • pt - Portuguese (Brazil)

Dart

Load the translation:

import 'package:zxcvbnm/messages.dart';
...
await initializeZxcvbnmMessages('es');

and set the global locale:

import 'package:intl/intl.dart';
...
Intl.defaultLocale = 'es';

or override the current locale for a particular operation:

import 'package:intl/intl.dart';
...
Intl.withLocale('es', () => doSomething());

See doc/translation/dart.md to learn how to use your own translation or override some messages.

Flutter

Install zxcvbnm_flutter.

Add the localizations delegate:

import 'package:zxcvbnm_flutter/zxcvbnm_flutter.dart';
...
return MaterialApp(
  localizationsDelegates: [
    ZxcvbnmLocalizations.delegate,
    ...
  ],
  ...
);

See doc/translation/flutter.md to learn how to use your own translation or override some messages.

Contribution

Please feel free to open an issue or provide a pull request.

About

A password strength estimator inspired by password crackers.

pub.dev/packages/zxcvbnm

Topics

security validation authentication validator password

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages