• Stars
    star
    237
  • Rank 169,885 (Top 4 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 11 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OWASP Password Strength Test for Node.js

OWASP Password Strength Test

owasp-password-strength-test is a password-strength tester based off of the OWASP Guidelines for enforcing secure passwords. It is lightweight, extensible, has no dependencies, and can be used on the server (nodejs) or in-browser.

owasp-password-strength-test is not an OWASP project - it is merely based off of OWASP research.

Build Status

Installing

Server-side (nodejs)

From the command line:

npm install owasp-password-strength-test

In-browser

Within your document:

<script src='owasp-password-strength-test.js'></script>

Features

This module is built upon the following beliefs:

  1. Passphrases are better than passwords.

  2. Passwords should be subject to stricter complexity requirements than passphrases.

Thus, the module:

  • provides for "required" and "optional" tests. In order to be considered "strong", a password must pass all required tests, as well as a configurable number of optional tests. This makes it possible to always enforce certain rules (like minimum password length), while giving users flexibility to honor only some of a pool of lower-priority rules.

  • encourages the use of passphrases over passwords. Passphrases (by default) are not subject to the same complexity requirements as a password. (Whereby, by default, a "passphrase" can be defined as "a password whose length is greater than or equal to 20 characters.")

  • can be arbitrarily extended as-needed with additional required and optional tests.

Usage

After you've included it into your project, using the module is straightforward:

Server-side

// require the module
var owasp = require('owasp-password-strength-test');

// invoke test() to test the strength of a password
var result = owasp.test('correct horse battery staple');

In-browser

// in the browser, including the script will make a
// `window.owaspPasswordStrengthTest` object available.
var result = owaspPasswordStrengthTest.test('correct horse battery staple');

The returned value will take this shape when the password is valid:

{
  errors              : [],
  failedTests         : [],
  requiredTestErrors  : [],
  optionalTestErrors  : [],
  passedTests         : [ 0, 1, 2, 3, 4, 5, 6 ],
  isPassphrase        : false,
  strong              : true,
  optionalTestsPassed : 4
}

... and will take this shape when the password is invalid:

{
  errors: [
      'The password must be at least 10 characters long.',
      'The password must contain at least one uppercase letter.',
      'The password must contain at least one number.',
      'The password must contain at least one special character.'
    ],
    failedTests         : [ 0, 4, 5, 6 ],
    passedTests         : [ 1, 2, 3 ],
    requiredTestErrors  : [
      'The password must be at least 10 characters long.',
    ],
    optionalTestErrors  : [
      'The password must contain at least one uppercase letter.',
      'The password must contain at least one number.',
      'The password must contain at least one special character.'
    ],
    isPassphrase        : false,
    strong              : false,
    optionalTestsPassed : 1
}

Whereby:

  • errors is an array of strings of error messages associated with the failed tests.

  • failedTests enumerates which tests have failed, beginning from 0 with the first required test

  • passedTests enumerates which tests have succeeded, beginning from 0 with the first required test

  • requiredTestErrors is an array containing the error messages of required tests that have failed.

  • optionalTestErrors is an array containing the error messages of optional tests that have failed.

  • isPassphrase is a boolean indicating whether or not the password was considered to be a passphrase.

  • strong is a boolean indicating whether or not the user's password satisfied the strength requirements.

  • optionalTestsPassed is a number indicating how many of the optional tests were passed. In order for the password to be considered "strong", it (by default) must either be a passphrase, or must pass a number of optional tests that is equal to or greater than configs.minOptionalTestsToPass.

Configuring

The module may be configured as follows:

var owasp = require('owasp-password-strength-test');

// Pass a hash of settings to the `config` method. The settings shown here are
// the defaults.
owasp.config({
  allowPassphrases       : true,
  maxLength              : 128,
  minLength              : 10,
  minPhraseLength        : 20,
  minOptionalTestsToPass : 4,
});

Whereby:

  • allowPassphrases is a boolean that toggles the "passphrase" mechanism on and off. If set to false, the strength-checker will abandon the notion of "passphrases", and will subject all passwords to the same complexity requirements.

  • maxLength is a constraint on a password's maximum length.

  • minLength is a constraint on a password's minimum length.

  • minPhraseLength is the minimum length a password needs to achieve in order to be considered a "passphrase" (and thus exempted from the optional complexity tests by default).

  • minOptionalTestsToPass is the minimum number of optional tests that a password must pass in order to be considered "strong". By default (per the OWASP guidelines), four optional complexity tests are made, and a password must pass at least three of them in order to be considered "strong".

Extending

If you would like to filter passwords through additional tests beyond the default, you may simply push new tests onto the appropriate arrays within the module's test object:

var owasp = require('owasp-password-strength-test');

// push "required" tests onto `tests.required` array, and push "optional" tests
// onto the `tests.optional` array.
owasp.tests.required.push(function(password) {
  if (password === 'one two three four five') {
    return "That's the kind of thing an idiot would have on his luggage!";
  }
});

Test functions must resemble the following:

// accept the password as the single argument
function(password) {

  // the "if" conditional should evaluate to `true` if the password is bad
  if (thePasswordIsBad) {

    // On password failure, a string should be returned. It will be pushed
    // onto an array of errors associated with the password.
    return "This is the failure message associated with the test";
  }

  // if the password is OK, nothing should be returned
}

Testing

To run the module's test suite, cd into its directory and run npm test. You may first need to run npm install to install the required development dependencies. (These dependencies are not required in a production environment, and facilitate only unit testing.)

Contributing

If you would like to contribute code, please fork this repository, make your changes, and then submit a pull-request.

More Repositories

1

r2frida

Radare2 and Frida better together.
TypeScript
1,159
star
2

fsmon

monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
C
881
star
3

secure-mobile-development

A Collection of Secure Mobile Development Best Practices
CSS
552
star
4

node-applesign

NodeJS module and commandline utility for re-signing iOS applications (IPA files).
JavaScript
420
star
5

frida-cycript

Cycript fork powered by Frida.
C
374
star
6

android-forensics

Open source Android Forensics app and framework
Java
360
star
7

frida-trace

Trace APIs declaratively through Frida.
JavaScript
217
star
8

airspy

AirSpy - Frida-based tool for exploring and tracking the evolution of Apple's AirDrop protocol implementation on i/macOS, from the server's perspective. Released during BH USA 2019 Training https://www.nowsecure.com/event/advanced-frida-and-radare-a-hackers-delight/
TypeScript
143
star
9

samsung-ime-rce-poc

Samsung Remote Code Execution as System User
Python
121
star
10

cybertruckchallenge19

Android security workshop material taught during the CyberTruck Challenge 2019 (Detroit USA).
Java
95
star
11

dirtycow

radare2 IO plugin for Linux and Android. Modifies files owned by other users via dirtycow Copy-On-Write cache vulnerability
C
92
star
12

r2lldb

radare2-lldb integration
Python
62
star
13

mobile-incident-response

Mobile Incident Response Book
CSS
59
star
14

frida-uikit

Inspect and manipulate UIKit-based GUIs through Frida.
JavaScript
52
star
15

frida-uiwebview

Inspect and manipulate UIWebView-hosted GUIs through Frida.
JavaScript
46
star
16

nscrypto-cpp

A C++11 library providing simple API for public-key encryption
C
46
star
17

frida-fs

Create a stream from a filesystem resource.
TypeScript
45
star
18

frida-screenshot

Grab screenshots using Frida.
TypeScript
40
star
19

android-rce-multidex-and-zip-files

PoC code for android RCE with multidex and ZIP files
Python
40
star
20

r2frida-book

The radare2 + frida book for Mobile Application assessment
CSS
39
star
21

ipa-extract-info

Extract the Info.plist from an IPA
JavaScript
37
star
22

nowsecure-action

The NowSecure Action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language
TypeScript
37
star
23

mjolner

Cycript backend powered by Frida.
JavaScript
25
star
24

frida-remote-stream

Create an outbound stream over a message transport.
TypeScript
18
star
25

frida-panic

Easy crash-reporting for Frida-based applications.
JavaScript
17
star
26

datagrid-gtk3

MVC framework for working with the Gtk3 TreeView widget
Python
16
star
27

androguard

Fork of https://github.com/androguard/androguard w/ bug fixes tests
Python
13
star
28

node-nscrypto

Node.js bindings for nscrypto-cpp
C++
11
star
29

mobile-security-report

The NowSecure Mobile Security Report
CSS
10
star
30

frida-memory-stream

Create a stream from one or more memory regions.
TypeScript
10
star
31

node-macho-entitlements

NodeJS library to extract the entitlements from MACH-O or FAT-MACH-O binaries
JavaScript
10
star
32

node-fatmacho

fat mach-o file-format parsers
JavaScript
9
star
33

nowsecure-sbom-action

Generate a Mobile SBOM for an application and submit to the Dependency submission API
9
star
34

disk-buffer

Disk buffer as a writable stream
JavaScript
8
star
35

nsq-bundle

JavaScript
8
star
36

macho-is-encrypted

Check if your Mach-O bin is encrypted
JavaScript
6
star
37

epf-parser

Parse iTunes Enterprise Partner Feeds.
JavaScript
6
star
38

nowsecure-platform-cli

CLI tool for starting Nowsecure auto security assessments for Android and iOS mobile app
JavaScript
5
star
39

level-throttle

A key-based throttling mechanism for levelup-compliant data stores.
JavaScript
5
star
40

iojs-cydia

Builder for the io.js packages for Cydia
Makefile
4
star
41

interval-to-ltgt

Convert an interval string to a levelup style ltgt object
JavaScript
4
star
42

macho-ts

TypeScript
4
star
43

goidevice

Golang bindings for the libimobiledevice library.
Go
4
star
44

apt-packages-diff

Rust
3
star
45

gitlabci

Dockerfile
3
star
46

auto-gitlab-plugin

Dockerfile
3
star
47

ipa-extract-exec

Extract the executable from an IPA file along with helpful meta data.
JavaScript
3
star
48

auto-jenkins-plugin

NowSecure Auto Security Test Jenkins Plugin
Java
2
star
49

cybertruckchallenge22

Android security workshop material taught during the CyberTruck Challenge 2022 (Michigan USA).
Java
2
star
50

NowSecure-Android-Root-Detection-Test-App

Test app for NowSecure Root Detection Bypass tutorial
2
star
51

auto-azure-extension

Azure DevOps Extension for NowSecure Auto Security Test
TypeScript
2
star
52

test-apks

2
star
53

Exploiting-Android-WebViews-with-Frida

Kotlin
1
star
54

auto-circleci-plugin

NowSecure Auto Security Test CircleCI Plugin
Java
1
star
55

bitrise-step-nowsecure-auto-analysis

Shell
1
star