A command-line implementation of the open-source zxcvbn password-strength tool to check password strength
How secure is your password?
How long would it take a hacker to "guess" your password?
This tool will check common dictionaries and patterns against your password to determine how long it would take a hacker to guess it. See examples at the bottom of this README.
To use:
- You must have node installed. Type
node --version
on the command-line. If you get an error, download Node from https://nodejs.org/en/download/current/
Download my pw
stript (it's an executable text file) and install into /usr/local/bin/
. Here's a quick way to install from a browser.
- Go to https://raw.githubusercontent.com/jon617/pw/master/pw
- Select All (or highlight all with your mouse) and Copy.
- Open a shell, terminal, or bash window on your Linux or Mac computer. On Windows, use Ubuntu.
- On your shell/terminal, type:
sudo cat > /usr/local/bin/pw
and enter your sudo password if prompted. - Right-click on the shell/terminal window to paste the script.
- Press ENTER at least once to put a blank line at the end of the file you pasted.
- On a Mac press ⌘-D or Linux/PC press CTRL-D to end the file.
Now that you have the pw
script added to your /usr/local/bin
directory, make the script executable. Type:
sudo chmod +x /usr/local/bin/pw
This script has a dependency of the npm module called zxcvbn
, so install it by typing
sudo npm install -g zxcvbn
If you got an error that npm command is not found, verify that you have node
installed. See above.
/usr/local/bin/pw
or
pw
Type a password to check, then press ENTER. Nothing will happen until you press enter.
It's safe to type your password because:
- Your password stays on your local machine. Nothing is transmitted to the Internet or saved to a file.
- Your password is not saved to bash history.
Example use for password Z,W}13[H7OLc
:
/usr/local/bin/pw
Z,W}13[H7OLc
Strength score (0=worst, 4=best): 4
Estimated time to crack this password:
Online (slow) at 100 guesses per hour : centuries
Online (fast) at 10 guesses per second : centuries
Offline (slow) at 1,000 guesses per second : 3 years
Offline (fast) at 10 billion guesses/second: 2 minutes
Another example, this with less-secure password of P@ssword1
:
/usr/local/bin/pw
P@ssword1
Strength score (0=worst, 4=best): 1
Estimated time to crack this password:
Online (slow) at 100 guesses per hour : 5 days
Online (fast) at 10 guesses per second : 19 minutes
Offline (slow) at 1,000 guesses per second : 1 second
Offline (fast) at 10 billion guesses/second: less than a second
Warning: This is similar to a commonly used password
Suggestions:
Add another word or two. Uncommon words are better.
Capitalization doesn't help very much
Predictable substitutions like '@' instead of 'a' don't help very much