/passpol

A Java library for validating passwords against NIST SP-800-63B requirements.

Primary LanguageJavaApache License 2.0Apache-2.0

Passpol

Build Status

A Java library for validating passwords against NIST SP-800-63B requirements.

Add to your project

<dependency>
  <groupId>com.codahale</groupId>
  <artifactId>passpol</artifactId>
  <version>0.1.4</version>
</dependency>

Depends on Guava for their fast, immutable set implementation.

Use the thing

import com.codahale.passpol.PasswordPolicy;
import java.io.IOException;
import java.util.Arrays;

class Example {
  void doIt() throws IOException {
    final PasswordPolicy policy = new PasswordPolicy();
    
    // validate good passwords
    System.out.println(policy.test("this is a good, long password")); 
    
    // validate bad passwords
    System.out.println(policy.test("password"));
    
    // convert a unicode password to a normalized byte array suitable for hashing
    final byte[] bytes = policy.normalize("✊🏻 unicode 🔥 password");
  } 
}

How it works

PasswordPolicy uses a list of 10,000 weak passwords from Carey Li's NBP project. Passwords are checked for minimum length, maximum length, and weakness.

PasswordPolicy also provides the means to normalize Unicode passwords into a canonical byte array representation suitable for inputting into a password hashing algorithm like bcrypt.

License

Copyright © 2017 Coda Hale

Distributed under the Apache License 2.0.