Aiming for elegance, one thought at a time

Choosing a javascript library to check password entropy (strength) (Secure SPA Aside 1)

Posted: May 3rd, 2013 | Author: | Filed under: Uncategorized | 1 Comment »

I’m writing a series of posts of creating a Single Page App (SPA) using node.js, passport.js, and Angular.

One thing I wanted to do as part of this series is select a javascript library to check and enforce password entropy or strength, ultimately as a way of helping users choose strong passwords. After a few hours of research, I selected zxcvbn.

Why zxcvbn?

But first, a quick note on my zxcvbn. I looked at a few libraries before choosing zxcvbn:

  • node-complexify, the node port of jQuery complexify. I liked this because it had the node & jQuery components. In the end, I decided against it because it considers aaaaaaaaaaaaaaaaaaaaaaaaaaa to be a strong password.
  • Gavel seemed to have a better password strength test, and I can see the appeal of having a dedicated password strength test service. However, the additional setup meant that it definitely wasn’t appropriate for a tutorial (also, I would guess it would be a hassle to push to Heroku or another similar hosting service.)
  • Mellt is definitely getting closer, by basing the strength of the brute-force time and banning common password. Curiously, though, it estimates 717 thousand years to crack Tr0ub4dour&3 – significantly more than expected.
  • So finally zxcvbn was the library of choice. It works on the client and server, and makes a pretty decent estimate of password strength.

Sign up for danielstudds.com
* = required field

One Comment on “Choosing a javascript library to check password entropy (strength) (Secure SPA Aside 1)”

  1. 1 Daniel Studds » Blog Archive » Adding a registration form (Secure SPA Part 2) said at 6:20 pm on May 3rd, 2013:

    [...] If you’re new here, you should start at Part 1, where we set up Passport.js. Today we’re going to add in a signup page. We’ll be enforcing a minimum password strength (entropy) using zxcvbn, with checks on both the server and client (why I chose zxcvbn). [...]


Leave a Reply