• Stars
    star
    312
  • Rank 133,724 (Top 3 %)
  • Language
    Java
  • License
    MIT License
  • Created almost 9 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This is a java port of zxcvbn, which is a JavaScript password strength generator.

zxcvbn4j Build Coverage Status Maven Central

This is a java port of zxcvbn, which is a password strength estimator inspired by password crackers written on JavaScript. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Related articles:

Table Contents

Update

The following version is a port of zxcvbn 4.4.2

  • 2022/04/13 1.7.0 released.
  • 2022/04/05 1.6.0 released.
  • 2021/06/08 1.5.2 released.
  • 2021/06/05 1.5.1 released.
  • 2021/04/26 1.5.0 released.
  • 2021/03/22 1.4.1 released.
  • 2021/02/19 1.4.0 released.
  • 2021/02/09 1.3.6 released.
  • 2021/02/02 1.3.5 released.
  • 2021/01/26 1.3.4 released.
  • 2021/01/21 1.3.3 released.
  • 2021/01/19 1.3.2 released.
  • 2020/10/28 1.3.1 released.
  • 2019/10/19 1.3.0 released.
  • 2019/07/23 1.2.7 released.
  • 2019/07/16 1.2.6 released.
  • 2018/03/30 1.2.5 released.
  • 2018/02/27 1.2.4 released.
  • 2017/03/27 1.2.3 released.

The following version is a port of zxcvbn 4.4.1

  • 2016/12/07 1.2.2 released.
  • 2016/12/03 1.2.1 released.

The following version is a port of zxcvbn 4.4.0

  • 2016/10/29 1.2.0 released.

The following version is a port of zxcvbn 4.3.0

  • 2016/10/01 1.1.6 released.
  • 2016/09/27 1.1.5 released.
  • 2016/07/08 1.1.4 released.
  • 2016/05/27 1.1.3 released.
  • 2016/05/25 1.1.2 released.
  • 2016/03/19 1.1.1 released.
  • 2016/03/06 1.1.0 released.

The following version is a port of zxcvbn 4.2.0

  • 2016/01/28 1.0.2 released.
  • 2016/01/27 1.0.1 released.
  • 2015/12/24 1.0.0 released.

Special Features

Customize internal dictionaries and keyboards

  • Customize the dictionary and keyboard layout used by the measurement algorithm.

Localize feedback messages

  • The zxcvbn4j can be localized the english feedback message to other languages.

Support some languages by default

JIS keyboard layout

  • It includes JIS keyboard layout in spatial matching.

Password args accept CharSequence as well as String

  • This gives a lot more flexibility in what format the password can be in.
  • Also attempts to avoid using Strings for any sensitive intermediate objects.

Install

https://mvnrepository.com/artifact/com.nulab-inc/zxcvbn/1.7.0

Gradle:

compile 'com.nulab-inc:zxcvbn:1.7.0'

Maven:

<dependency>
  <groupId>com.nulab-inc</groupId>
  <artifactId>zxcvbn</artifactId>
  <version>1.7.0</version>
</dependency>

Development

$ git clone https://github.com/nulab/zxcvbn4j.git
$ cd ./zxcvbn4j
$ ./gradlew build    # build
$ ./gradlew test     # test
$ ./gradlew jmh      # benchmark

Usage

Basic

This is also available Android.

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");

If you want to add your own dictionary, put the keyword list of List type to the second argument.

List<String> sanitizedInputs = new ArrayList();
sanitizedInputs.add("nulab");
sanitizedInputs.add("backlog");
sanitizedInputs.add("cacoo");
sanitizedInputs.add("typetalk");

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password", sanitizedInputs);

Strength Properties

The return result is "Strength". It's almost the same as zxcvbn.

# estimated guesses needed to crack password
strength.guesses

# order of magnitude of strength.guesses
strength.guessesLog10

# dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios
strength.crackTimeSeconds
{
  # online attack on a service that ratelimits password auth attempts.
  onlineThrottling100PerHour

  # online attack on a service that doesn't ratelimit,
  # or where an attacker has outsmarted ratelimiting.
  onlineNoThrottling10PerSecond

  # offline attack. assumes multiple attackers,
  # proper user-unique salting, and a slow hash function
  # w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.
  offlineSlowHashing1e4PerSecond

  # offline attack with user-unique salting but a fast hash
  # function like SHA-1, SHA-256 or MD5. A wide range of
  # reasonable numbers anywhere from one billion - one trillion
  # guesses per second, depending on number of cores and machines.
  # ballparking at 10B/sec.
  offlineFastHashing1e10PerSecond
}

# same keys as result.crack_time_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.
strength.crackTimeDisplay

# Integer from 0-4 (useful for implementing a strength bar)
# 0 Weak        (guesses < 10^3 + 5οΌ‰
# 1 Fair        (guesses < 10^6 + 5οΌ‰
# 2 Good        (guesses < 10^8 + 5οΌ‰
# 3 Strong      (guesses < 10^10 + 5οΌ‰
# 4 Very strong (guesses >= 10^10 + 5οΌ‰
strength.score

# verbal feedback to help choose better passwords. set when score <= 2.
strength.feedback
{
  # explains what's wrong, eg. 'this is a top-10 common password'.
  # not always set -- sometimes an empty string
  warning

  # a possibly-empty list of suggestions to help choose a less
  # guessable password. eg. 'Add another word or two'
  suggestions
}

# the list of patterns that zxcvbn based the guess calculation on.
strength.sequence

# how long it took zxcvbn to calculate an answer, in milliseconds.
strength.calc_time

Customize internal dictionaries and keyboards

Zxcvbn can build with ZxcvbnBuilder. ZxcvbnBuilder can customize dictionaries and keyboards used in measurements.

Use resources on the classpath

ClasspathResource can get your own dictionary and keyboard file on the classpath. DictionaryLoader load dictionary file. SlantedKeyboardLoader and AlignedKeyboardLoader load keyboard file.

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("us_tv_and_film", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/dictionarys/us_tv_and_film.txt")).load())
        .keyboard(new SlantedKeyboardLoader("qwerty", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/qwerty.txt")).load())
        .keyboard(new AlignedKeyboardLoader("keypad", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/keypad.txt")).load())
        .build();

Use resources get via HTTP

To use dictionary and keyboard files other than the classpath, implement the Resource interface. This code is an example of getting and loading a file via HTTP(s).

URL dictionaryURL = new URL("https://example.com/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceOverHTTP(dictionaryURL);

URL keyboardURL = new URL("https://example.com/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceOverHTTP(keyboardURL);

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
        .keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())
        .build();

public class MyResourceOverHTTP implements Resource {

    private URL url;

    public MyResourceOverHTTP(URL url) {
        this.url = url;
    }

    @Override
    public InputStream getInputStream() throws IOException {
        HttpURLConnection conn = (HttpURLConnection) this.url.openConnection();
        return conn.getInputStream();
    }
}

Use file resources other than classpath

This code is an example of using files in other directories than the classpath.

File dictionaryFile = new File("/home/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceFromFile(dictionaryFile);

File keyboardFile = new File("/home/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceFromFile(keyboardFile);

Zxcvbn zxcvbn = new ZxcvbnBuilder()
    .dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
    .keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())
    .build();

public class MyResourceFromFile implements Resource {

    private File file;

    public MyResourceFromFile(File file) {
        this.file = file;
    }

    @Override
    public InputStream getInputStream() throws IOException {
        return new FileInputStream(this.file);
    }
}

Use all default resources

StandardDictionaries.loadAllDictionaries() loads all default dictionary files. StandardDictionaries.loadAllKeyboards() loads all default keyboard files.

Zxcvbn zxcvbn = new Zxcvbn();

or

Zxcvbn zxcvbn = new ZxcvbnBuilder()
    .dictionaries(StandardDictionaries.loadAllDictionaries())
    .keyboards(StandardKeyboards.loadAllKeyboards())
    .build();

Select from and use default resources

The following code selects some from the default dictionary files and keyboards.

Zxcvbn zxcvbn = new ZxcvbnBuilder()
    .dictionary(StandardDictionaries.ENGLISH_WIKIPEDIA_LOADER.load())
    .dictionary(StandardDictionaries.PASSWORDS_LOADER.load())
    .keyboard(StandardKeyboards.QWERTY_LOADER.load())
    .keyboard(StandardKeyboards.DVORAK_LOADER.load())
    .build();

Localize feedback messages

The zxcvbn4j can be localized the english feedback message to other languages.

Localize each feedback

// Get the Strength instance.
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");

// Get the ResourceBundle based on the name and locale of the property file(β€»).
ResourceBundle resourceBundle = ResourceBundle.getBundle("This is bundle name", Locale.JAPAN);

// Feedback to pass the ResourceBundle. And to generate a localized Feedback.
Feedback feedback = strength.getFeedback();
Feedback localizedFeedback = feedback.withResourceBundle(resourceBundle);

// getSuggestions() and getWarning() returns localized feedback message.
List<String> localizedSuggestions = localizedFeedback.getSuggestions();
String localizedWarning = localizedFeedback.getWarning();

Defined Key and the message in the properties file. Reference the messages.properties.

Localize each locale

Strength strength = zxcvbn.measure(password);
Feedback feedback = strength.getFeedback();

Map<Locale, ResourceBundle> messages = new HashMap<>();
messages.put(Locale.JAPANESE, ResourceBundle.getBundle("This is bundle name", Locale.JAPANESE));
messages.put(Locale.ITALIAN, ResourceBundle.getBundle("This is bundle name", Locale.ITALIAN));
Feedback replacedFeedback = feedback.replaceResourceBundle(messages);

Requires Java

  • Java 1.7+

Using this library

Bugs and Feedback

For bugs, questions and discussions please use the GitHub Issues.

License

MIT License

More Repositories

1

scala-oauth2-provider

OAuth 2.0 server-side implementation written in Scala
Scala
534
star
2

backlog-bulk-issue-registration-gas

Googleγ‚Ήγƒ—γƒ¬γƒƒγƒ‰γ‚·γƒΌγƒˆγ«γ‚ˆγ‚‹Backlogθͺ²ι‘ŒδΈ€ζ‹¬η™»ιŒ²
TypeScript
138
star
3

nginx-length-hiding-filter-module

nginx filter module to append random generated string to the end of HTML response
C
61
star
4

backlog4j

Java library for Backlog API version 2
Java
40
star
5

nginx-upstream-jvm-route

Forked version of https://code.google.com/p/nginx-upstream-jvm-route/
C
39
star
6

backlog-js

Backlog API version 2 client for browser and node.
TypeScript
33
star
7

play2-oauth2-provider

This library is enabled using scala-oauth2-provider in Play Framework
Scala
29
star
8

BacklogMigration-Redmine

Migrate your projects from Redmine to Backlog.
Scala
28
star
9

akka-http-oauth2-provider

This library is enabled using scala-oauth2-provider in Akka HTTP
Scala
24
star
10

emoji-data-ts

Utilities for emoji data in TypeScript
TypeScript
22
star
11

go-typetalk

go-typetalk is a GO client library for accessing the Typetalk API.
Go
20
star
12

hubot-typetalk

A hubot adapter for Typetalk.
JavaScript
18
star
13

backlog-power-ups

JavaScript
18
star
14

fabric-sample

fabric sample to define tasks using Task subclass
Ruby
15
star
15

go-git-http-xfer

Implements Git HTTP Transport.
Go
15
star
16

BacklogMigration-Jira

Migrate your projects from JIRA to the Backlog.
Scala
10
star
17

commit-guidelines

8
star
18

go-todo-example

A todo manager written in Go using Test Driven Development technique (TDD)
Go
8
star
19

BacklogMigration-CybozuLive

Migrate your projects from CybozuLive to the Backlog.
Scala
7
star
20

nginx-too-many-requests-retryafter-patch

Dockerfile
6
star
21

NLBURLAction

Objective-C
6
star
22

asclip

ActionScript library for clipboard copy
ActionScript
6
star
23

thymeleaf-servlet-example

JavaScript
6
star
24

botbuilder-typetalk

Typetalk bot connector for Microsoft BotBuilder.
TypeScript
6
star
25

book-template

TeX
5
star
26

drupalcamp-taipei-2014

Sample repository for Drupal Camp 2014 Taipei
PHP
5
star
27

fluent-plugin-typetalk

Fluent plugin to emit notifications to Typetalk
Ruby
4
star
28

franz-recipe-backlog

Backlog for Franz 5
JavaScript
4
star
29

backlog-migration-common

Scala
4
star
30

hydralibs

Collections of frontend libraries
TypeScript
3
star
31

cacoo-diagram-contents-api-sample

Sample to understand how to use the diagram contents API.
Java
2
star
32

cacoo-api-sample

Sample Web Application with Cacoo API
Java
2
star
33

typetalk-google-translate-bot

A Typetalk bot try to translate posted messages in English.
Go
2
star
34

nginx-gzip-filter-allow-weak-etag-patch

Nginx patch to allow gzip filter to keep weak ETag
2
star
35

autog

Graph autolayout library in Go
Go
1
star
36

backlog-importer

Scala
1
star
37

backlog-chrome-sandbox

backlog chrome extension sandbox
JavaScript
1
star
38

franz-recipe-typetalk

Typetalk for Franz 5
JavaScript
1
star
39

play2-auth-sample

This repository is sample code for authentication
Scala
1
star
40

ansible-sample

Ansible module samples
Shell
1
star
41

typetalk-gcal-bot

JavaScript
1
star
42

backlog4j-httpclient

Java
1
star
43

fblike-hashtag

JavaScript
1
star
44

typetalk-webhook-play-example

Example code for webhook in Typetalk http://www.typetalk.in
Scala
1
star
45

echelon-2013-scm-selenium

Echelon Ignite 2013 Thailand Workshop Sample Selenium
Python
1
star
46

echelon-2013-scm-webapp

Echelon Ignite 2013 Thailand Workshop Sample Web Application
JavaScript
1
star
47

timezone-picker

1
star
48

typetalk-orb

Create custom Typetalk notifications for CircleCI job statuses
1
star
49

nu-cookie-banner

nulab cookie banner package
JavaScript
1
star
50

knockout-example-todo

JavaScript
1
star
51

echelon-2013-scm-server

Echelon Ignite 2013 Thailand Workshop Sample Server Configuration
Ruby
1
star