Home

Awesome

OWASP Password Strength Test

owasp-password-strength-test is a password-strength tester based off of the OWASP Guidelines for enforcing secure passwords. It is lightweight, extensible, has no dependencies, and can be used on the server (nodejs) or in-browser.

owasp-password-strength-test is not an OWASP project - it is merely based off of OWASP research.

Build Status

Installing

Server-side (nodejs)

From the command line:

npm install owasp-password-strength-test

In-browser

Within your document:

<script src='owasp-password-strength-test.js'></script>

Features

This module is built upon the following beliefs:

  1. Passphrases are better than passwords.

  2. Passwords should be subject to stricter complexity requirements than passphrases.

Thus, the module:

Usage

After you've included it into your project, using the module is straightforward:

Server-side

// require the module
var owasp = require('owasp-password-strength-test');

// invoke test() to test the strength of a password
var result = owasp.test('correct horse battery staple');

In-browser

// in the browser, including the script will make a
// `window.owaspPasswordStrengthTest` object available.
var result = owaspPasswordStrengthTest.test('correct horse battery staple');

The returned value will take this shape when the password is valid:

{
  errors              : [],
  failedTests         : [],
  requiredTestErrors  : [],
  optionalTestErrors  : [],
  passedTests         : [ 0, 1, 2, 3, 4, 5, 6 ],
  isPassphrase        : false,
  strong              : true,
  optionalTestsPassed : 4
}

... and will take this shape when the password is invalid:

{
  errors: [
      'The password must be at least 10 characters long.',
      'The password must contain at least one uppercase letter.',
      'The password must contain at least one number.',
      'The password must contain at least one special character.'
    ],
    failedTests         : [ 0, 4, 5, 6 ],
    passedTests         : [ 1, 2, 3 ],
    requiredTestErrors  : [
      'The password must be at least 10 characters long.',
    ],
    optionalTestErrors  : [
      'The password must contain at least one uppercase letter.',
      'The password must contain at least one number.',
      'The password must contain at least one special character.'
    ],
    isPassphrase        : false,
    strong              : false,
    optionalTestsPassed : 1
}

Whereby:

Configuring

The module may be configured as follows:

var owasp = require('owasp-password-strength-test');

// Pass a hash of settings to the `config` method. The settings shown here are
// the defaults.
owasp.config({
  allowPassphrases       : true,
  maxLength              : 128,
  minLength              : 10,
  minPhraseLength        : 20,
  minOptionalTestsToPass : 4,
});

Whereby:

Extending

If you would like to filter passwords through additional tests beyond the default, you may simply push new tests onto the appropriate arrays within the module's test object:

var owasp = require('owasp-password-strength-test');

// push "required" tests onto `tests.required` array, and push "optional" tests
// onto the `tests.optional` array.
owasp.tests.required.push(function(password) {
  if (password === 'one two three four five') {
    return "That's the kind of thing an idiot would have on his luggage!";
  }
});

Test functions must resemble the following:

// accept the password as the single argument
function(password) {

  // the "if" conditional should evaluate to `true` if the password is bad
  if (thePasswordIsBad) {

    // On password failure, a string should be returned. It will be pushed
    // onto an array of errors associated with the password.
    return "This is the failure message associated with the test";
  }

  // if the password is OK, nothing should be returned
}

Testing

To run the module's test suite, cd into its directory and run npm test. You may first need to run npm install to install the required development dependencies. (These dependencies are not required in a production environment, and facilitate only unit testing.)

Contributing

If you would like to contribute code, please fork this repository, make your changes, and then submit a pull-request.