PasswordCheck

Testing the strength of a password in Java

Need a simple way to check the strength of a password?
To check in the HTML on the front end try Steve Moitozo's Javascript example at http://www.geekwisdom.com/dyn/passwdmeter
For Java server checks on the backend download the PasswordCheck jar file and get started.

C:\>java -jar PasswordCheck.jar
Java 1.4 password strength regex example (see source)
Bundled usage: java -jar PasswordCheck.jar 
Unbundled usage: java PasswordCheck

This uses the same Password Strength Factors and Weightings as Steve's javascript with the additional capability of defining rules for a minimal system password.
Update: The original code doubled the score for 2 special characters based on a brute force attack (a-z,A-Z,0-9,specials) but someone pointed out that most attacks are more intelligent. People tend to substitute numbers and special characters in a memorable way such as replacing "S" with "$" or "a" with "@" and "3" for "E"
A password such as $@v3M3 (SaveMe) though only 7 characters is hard to crack with brute force but simple using common words from the dictionary and expected character substitutions.
Because of this, one special gets 5 points and two specials get 10 points but using any more than that is a sure sign that the password is using common character substitutions in known words (no additional points).
All of these values can be adjusted to your taste. There is no hard and fast rule. The ones I initially used came from Steve Moitozo's passwdmeter but I adjusted them to match a password check plugin for LDAP servers then later tweaked them based on comments.

C:\>java -jar PasswordCheck.jar hello123##KHG
very strong - 79
12 points for length (13)
1 point for a lower case character
5 point for an upper case character
5 points for a number
2 points for at least two numbers
3 points for at least three numbers
5 points for a special character
5 points for at least two special characters
2 combo points for upper and lower letters
2 combo points for letters and numbers
2 combo points for letters, numbers and special chars
2 combo points for upper and lower case letters, numbers and special chars


Password meets or exceeds defined security rules

Hopefully I'll get the time to come back to this page and explain the code or provide details of how to expand it to

Retrieve the rules from a properties file
Use it in a JSP with Steve's script to provide visual feedback once the password meets the minimum.

The contents of this website are licensed under the Open Software License 2.1 or Academic Free License 2.1