This is a java port of zxcvbn, which is a JavaScript password strength generator.
The following version is a port of zxcvbn 4.2.0
- 2016/01/28 1.0.2 released.
- 2016/01/27 1.0.1 released.
- 2015/12/24 1.0.0 released.
- It includes JIS keyboard layout in spatial matching.
'com.nulab-inc:zxcvbn:1.0.2'
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
<version>1.0.2</version>
</dependency>
To build:
$ git clone git@github.com:nulab/zxcvbn4j.git
$ cd zxcvbn4j/
$ ./gradlew build
Basic Usage. This is also available Android.
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");
If you want to add your own dictionary, put the keyword list of List type to the second argument.
List<String> sanitizedInputs = new ArrayList();
sanitizedInputs.add("nulab");
sanitizedInputs.add("backlog");
sanitizedInputs.add("cacoo");
sanitizedInputs.add("typetalk");
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password", sanitizedInputs);
The return result is "Strength". It's almost the same as zxcvbn.
# estimated guesses needed to crack password
strength.guesses
# order of magnitude of strength.guesses
strength.guessesLog10
# dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios
strength.crackTimeSeconds
{
# online attack on a service that ratelimits password auth attempts.
onlineThrottling100PerHour
# online attack on a service that doesn't ratelimit,
# or where an attacker has outsmarted ratelimiting.
onlineNoThrottling10PerSecond
# offline attack. assumes multiple attackers,
# proper user-unique salting, and a slow hash function
# w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.
offlineSlowHashing1e4PerSecond
# offline attack with user-unique salting but a fast hash
# function like SHA-1, SHA-256 or MD5. A wide range of
# reasonable numbers anywhere from one billion - one trillion
# guesses per second, depending on number of cores and machines.
# ballparking at 10B/sec.
offlineFastHashing1e10PerSecond
}
# same keys as result.crack_time_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.
strength.crackTimeDisplay
# Integer from 0-4 (useful for implementing a strength bar)
# 0 Weak (guesses < ^ 3 10)
# 1 Fair (guesses <^ 6 10)
# 2 Good (guesses <^ 8 10)
# 3 Strong (guesses < 10 ^ 10)
# 4 Very strong (guesses >= 10 ^ 10)
strength.score
# verbal feedback to help choose better passwords. set when score <= 2.
strength.feedback
{
# explains what's wrong, eg. 'this is a top-10 common password'.
# not always set -- sometimes an empty string
warning
# a possibly-empty list of suggestions to help choose a less
# guessable password. eg. 'Add another word or two'
suggestions
}
# the list of patterns that zxcvbn based the guess calculation on.
strength.sequence
# how long it took zxcvbn to calculate an answer, in milliseconds.
strength.calc_time
For bugs, questions and discussions please use the Github Issues.
MIT License
- Java 1.7+