zxcvbn - Low-Budget Password Strength Estimation

  •        153

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.Consider using zxcvbn as an algorithmic alternative to password composition policy β€” it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
https://github.com/dropbox/zxcvbn

Tags
Implementation
License
Platform

   




Related Projects

zxcvbn-php - Realistic PHP password strength estimate library based on Zxcvbn JS

  •    PHP

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the Javascript zxcvbn project from Dropbox and @lowe. "zxcvbn" is bad password, just like "qwerty" and "123456". zxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns.

vue-password-strength-meter - πŸ” Password strength meter based on zxcvbn in vue.js

  •    Javascript

You can customize the styling of the input field, badge and strength-meter by passing your own css classes to defaultClass, strengthMeterClass etc. For detailed explanation on how things work, checkout the guide and docs for vue-loader.

zxcvbn - realistic password strength estimation

  •    CoffeeScript

realistic password strength estimation

hsimp - How Secure is My Password for your own website

  •    HTML

Now you can use the howsecureismypassword.net password strength meter on your own sites. Rather than just saying a password is "weak" or "strong", How Secure is My Password? lets your users know how long it would take someone to crack their password. It also checks against the top 10,000 most common passwords as well as a number of other checks (such as repeated strings, telephone numbers, and words followed by numbers).

cupp - Common User Passwords Profiler (CUPP)

  •    Python

The most common form of authentication is the combination of a username and a password or passphrase. If both match values stored within a locally stored table, the user is authenticated for a connection. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternate values. A weak password might be very short or only use alphanumberic characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.


Notebook PEA - Text Editor with Password Encryption

  •    Java

Password encryption tool with built-in text editor, to protect private notes. The program offers some styling and editing functionality for the text, a password generator, a password-strength meter and a virtual keyboard. The text is protected using authenticated encryption.

python-zxcvbn - A realistic password strength estimator.

  •    Python

A realistic password strength estimator.

hashview - A web front-end for password cracking and analytics

  •    CSS

Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports. Please see the Contribution Guide for how to develop and contribute. If you have any problems, please consult Issues page first. If you don't see a related issue, feel free to add one and we'll help.

wifi-cracking - Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat πŸ–§

  •    

Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat. This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.

Navajo - Password Validator & Strength Evaluator

  •    Objective-C

Navajo is named in honor of the famed code talkers of the Second World War. Password strength is evaluated in terms of information entropy.

rtl-entropy - An entropy generator using SDR peripherals, including rtl-sdr and BladeRF

  •    C

rtl-entropy is software using rtl-sdr to turn your DVB-T dongle into a high quality entropy source. It samples atmospheric noise, does Von-Neumann debiasing, runs it through the FIPS 140-2 tests, then optionally (-e) does Kaminsky debiasing if it passes the FIPS tests, then writes to the output. It can be run as a Daemon which by default writes to a FIFO, which can be read by rngd to add entropy to the system pool. If you're serious about the cryptographic security of your entropy source, you should probably short, or put a 75 Ohm load on the antenna port, and put the whole assembly in a shielded box. Then you're getting entropy from the thermal noise of the amplifiers which is much harder to interfere with than atmospheric radio.

PassGAN - A Deep Learning Approach for Password Guessing (https://arxiv.org/abs/1709.00440)

  •    Python

This repository contains code for the PassGAN: A Deep Learning Approach for Password Guessing paper. Use the pretrained model to generate 1,000,000 passwords, saving them to gen_passwords.txt.

brainflayer - A proof-of-concept cracker for cryptocurrency brainwallets and other low entropy key alogrithms

  •    C

Brainflayer is a Proof-of-Concept brainwallet cracking tool that uses libsecp256k1 for pubkey generation. It was originally released as part of my DEFCON talk about cracking brainwallets (slides, video, why). The name is a reference to Mind Flayers, a race of monsters from the Dungeons & Dragons role-playing game. They eat brains, psionically enslave people and look like lovecraftian horrors.

jquery

  •    Javascript

Websites have a responsibility to accurately inform users of password strength, both to better secure data, and to educate about users of what constitutes a good password. Complexify aims to provide a good measure of password complexity for websites to use both for giving hints to users in the form of strength bars, and for casually enforcing a minimum complexity for security reasons.

masterkey - secure interactive password manager with xchacha20poly1305, argon2id, and Go

  •    Go

masterkey is a simple, secure password manager written in Go. It uses xchacha20poly1305 for authenticated encryption and argon2id for key derivation. It stores credentials given a location, where each credential is represented by a Username and a Password. Locations, Usernames, and Passwords are always encrypted using a argon2id key derived from the input passphrase. Unlike password-store and a few other password managers, an attacker with access to the encrypted database can not discern exactly how many passwords are stored, the labels (locations) for the passwords, or the usernames associated with the passwords. Now create your vault, in this example we'll create it at ./vault.db. New vaults are created using the -new flag, existing vaults can be opened by simplly omitting the -new flag.

KeychainCracker - macOS keychain cracking tool

  •    Objective-C

macOS keychain cracking tool. I wrote this software in order to help relatives of a deceased friend to recover data from his computer. Please enjoy it responsibly, and please do not hack/harm people.

Google Authenticator - Two factor authentication

  •    Java

The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH). These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

jBCrypt - A Java implementation of OpenBSD's Blowfish password hashing code

  •    Java

jBCrypt is an implementation the OpenBSD Blowfish password hashing algorithm, as described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazieres. This system hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking. The computation cost of the algorithm is parameterised, so it can be increased as computers get faster.