zxcvbn4j
This is a java port of zxcvbn, which is a password strength estimator inspired by password crackers written on JavaScript.
Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa
), sequences (abcd
), keyboard patterns (qwertyuiop
), and l33t speak.
Related articles:
Table Contents
- Update
- Special Features
- Install
- Development
- Usage
- Requires Java
- Using this library
- Bugs and Feedback
- License
Update
The following version is a port of zxcvbn 4.4.2
- 2022/04/13 1.7.0 released.
- 2022/04/05 1.6.0 released.
- 2021/06/08 1.5.2 released.
- 2021/06/05 1.5.1 released.
- 2021/04/26 1.5.0 released.
- 2021/03/22 1.4.1 released.
- 2021/02/19 1.4.0 released.
- 2021/02/09 1.3.6 released.
- 2021/02/02 1.3.5 released.
- 2021/01/26 1.3.4 released.
- 2021/01/21 1.3.3 released.
- 2021/01/19 1.3.2 released.
- 2020/10/28 1.3.1 released.
- 2019/10/19 1.3.0 released.
- 2019/07/23 1.2.7 released.
- 2019/07/16 1.2.6 released.
- 2018/03/30 1.2.5 released.
- 2018/02/27 1.2.4 released.
- 2017/03/27 1.2.3 released.
The following version is a port of zxcvbn 4.4.1
- 2016/12/07 1.2.2 released.
- 2016/12/03 1.2.1 released.
The following version is a port of zxcvbn 4.4.0
- 2016/10/29 1.2.0 released.
The following version is a port of zxcvbn 4.3.0
- 2016/10/01 1.1.6 released.
- 2016/09/27 1.1.5 released.
- 2016/07/08 1.1.4 released.
- 2016/05/27 1.1.3 released.
- 2016/05/25 1.1.2 released.
- 2016/03/19 1.1.1 released.
- 2016/03/06 1.1.0 released.
The following version is a port of zxcvbn 4.2.0
- 2016/01/28 1.0.2 released.
- 2016/01/27 1.0.1 released.
- 2015/12/24 1.0.0 released.
Special Features
Customize internal dictionaries and keyboards
- Customize the dictionary and keyboard layout used by the measurement algorithm.
Localize feedback messages
- The zxcvbn4j can be localized the english feedback message to other languages.
Support some languages by default
JIS keyboard layout
- It includes JIS keyboard layout in spatial matching.
Password args accept CharSequence as well as String
- This gives a lot more flexibility in what format the password can be in.
- Also attempts to avoid using Strings for any sensitive intermediate objects.
Install
https://mvnrepository.com/artifact/com.nulab-inc/zxcvbn/1.7.0
Gradle:
compile 'com.nulab-inc:zxcvbn:1.7.0'
Maven:
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
<version>1.7.0</version>
</dependency>
Development
$ git clone https://github.com/nulab/zxcvbn4j.git
$ cd ./zxcvbn4j
$ ./gradlew build # build
$ ./gradlew test # test
$ ./gradlew jmh # benchmark
Usage
Basic
This is also available Android.
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");
If you want to add your own dictionary, put the keyword list of List type to the second argument.
List<String> sanitizedInputs = new ArrayList();
sanitizedInputs.add("nulab");
sanitizedInputs.add("backlog");
sanitizedInputs.add("cacoo");
sanitizedInputs.add("typetalk");
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password", sanitizedInputs);
Strength Properties
The return result is "Strength". It's almost the same as zxcvbn.
# estimated guesses needed to crack password
strength.guesses
# order of magnitude of strength.guesses
strength.guessesLog10
# dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios
strength.crackTimeSeconds
{
# online attack on a service that ratelimits password auth attempts.
onlineThrottling100PerHour
# online attack on a service that doesn't ratelimit,
# or where an attacker has outsmarted ratelimiting.
onlineNoThrottling10PerSecond
# offline attack. assumes multiple attackers,
# proper user-unique salting, and a slow hash function
# w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.
offlineSlowHashing1e4PerSecond
# offline attack with user-unique salting but a fast hash
# function like SHA-1, SHA-256 or MD5. A wide range of
# reasonable numbers anywhere from one billion - one trillion
# guesses per second, depending on number of cores and machines.
# ballparking at 10B/sec.
offlineFastHashing1e10PerSecond
}
# same keys as result.crack_time_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.
strength.crackTimeDisplay
# Integer from 0-4 (useful for implementing a strength bar)
# 0 Weak οΌguesses < 10^3 + 5οΌ
# 1 Fair οΌguesses < 10^6 + 5οΌ
# 2 Good οΌguesses < 10^8 + 5οΌ
# 3 Strong οΌguesses < 10^10 + 5οΌ
# 4 Very strong οΌguesses >= 10^10 + 5οΌ
strength.score
# verbal feedback to help choose better passwords. set when score <= 2.
strength.feedback
{
# explains what's wrong, eg. 'this is a top-10 common password'.
# not always set -- sometimes an empty string
warning
# a possibly-empty list of suggestions to help choose a less
# guessable password. eg. 'Add another word or two'
suggestions
}
# the list of patterns that zxcvbn based the guess calculation on.
strength.sequence
# how long it took zxcvbn to calculate an answer, in milliseconds.
strength.calc_time
Customize internal dictionaries and keyboards
Zxcvbn
can build with ZxcvbnBuilder
.
ZxcvbnBuilder
can customize dictionaries and keyboards used in measurements.
Use resources on the classpath
ClasspathResource
can get your own dictionary and keyboard file on the classpath.
DictionaryLoader
load dictionary file.
SlantedKeyboardLoader
and AlignedKeyboardLoader
load keyboard file.
Zxcvbn zxcvbn = new ZxcvbnBuilder()
.dictionary(new DictionaryLoader("us_tv_and_film", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/dictionarys/us_tv_and_film.txt")).load())
.keyboard(new SlantedKeyboardLoader("qwerty", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/qwerty.txt")).load())
.keyboard(new AlignedKeyboardLoader("keypad", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/keypad.txt")).load())
.build();
Use resources get via HTTP
To use dictionary and keyboard files other than the classpath, implement the Resource interface
.
This code is an example of getting and loading a file via HTTP(s).
URL dictionaryURL = new URL("https://example.com/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceOverHTTP(dictionaryURL);
URL keyboardURL = new URL("https://example.com/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceOverHTTP(keyboardURL);
Zxcvbn zxcvbn = new ZxcvbnBuilder()
.dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
.keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())
.build();
public class MyResourceOverHTTP implements Resource {
private URL url;
public MyResourceOverHTTP(URL url) {
this.url = url;
}
@Override
public InputStream getInputStream() throws IOException {
HttpURLConnection conn = (HttpURLConnection) this.url.openConnection();
return conn.getInputStream();
}
}
Use file resources other than classpath
This code is an example of using files in other directories than the classpath.
File dictionaryFile = new File("/home/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceFromFile(dictionaryFile);
File keyboardFile = new File("/home/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceFromFile(keyboardFile);
Zxcvbn zxcvbn = new ZxcvbnBuilder()
.dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
.keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())
.build();
public class MyResourceFromFile implements Resource {
private File file;
public MyResourceFromFile(File file) {
this.file = file;
}
@Override
public InputStream getInputStream() throws IOException {
return new FileInputStream(this.file);
}
}
Use all default resources
StandardDictionaries.loadAllDictionaries()
loads all default dictionary files.
StandardDictionaries.loadAllKeyboards()
loads all default keyboard files.
Zxcvbn zxcvbn = new Zxcvbn();
or
Zxcvbn zxcvbn = new ZxcvbnBuilder()
.dictionaries(StandardDictionaries.loadAllDictionaries())
.keyboards(StandardKeyboards.loadAllKeyboards())
.build();
Select from and use default resources
The following code selects some from the default dictionary files and keyboards.
Zxcvbn zxcvbn = new ZxcvbnBuilder()
.dictionary(StandardDictionaries.ENGLISH_WIKIPEDIA_LOADER.load())
.dictionary(StandardDictionaries.PASSWORDS_LOADER.load())
.keyboard(StandardKeyboards.QWERTY_LOADER.load())
.keyboard(StandardKeyboards.DVORAK_LOADER.load())
.build();
Localize feedback messages
The zxcvbn4j can be localized the english feedback message to other languages.
Localize each feedback
// Get the Strength instance.
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");
// Get the ResourceBundle based on the name and locale of the property file(β»).
ResourceBundle resourceBundle = ResourceBundle.getBundle("This is bundle name", Locale.JAPAN);
// Feedback to pass the ResourceBundle. And to generate a localized Feedback.
Feedback feedback = strength.getFeedback();
Feedback localizedFeedback = feedback.withResourceBundle(resourceBundle);
// getSuggestions() and getWarning() returns localized feedback message.
List<String> localizedSuggestions = localizedFeedback.getSuggestions();
String localizedWarning = localizedFeedback.getWarning();
Defined Key and the message in the properties file. Reference the messages.properties.
Localize each locale
Strength strength = zxcvbn.measure(password);
Feedback feedback = strength.getFeedback();
Map<Locale, ResourceBundle> messages = new HashMap<>();
messages.put(Locale.JAPANESE, ResourceBundle.getBundle("This is bundle name", Locale.JAPANESE));
messages.put(Locale.ITALIAN, ResourceBundle.getBundle("This is bundle name", Locale.ITALIAN));
Feedback replacedFeedback = feedback.replaceResourceBundle(messages);
Requires Java
- Java 1.7+
Using this library
- Backlog
- Cacoo
- Typetalk
- JetBrains Hub
- Cryptomator
- And many Open Source Software
Bugs and Feedback
For bugs, questions and discussions please use the GitHub Issues.
License
MIT License