jQuery Complexify

Websites have a responsibility to users to accurately tell them how good a password is, and this is not an easy job.

  • If your password is 8 characters long and only formed of lower case characters, you need to make it better, perhaps by adding a number or more characters.
  • If your password is 25 characters long but happens to not contain a number, you shouldn't be forced by a password security policy to add one, you clearly have a very secure password.

Complexify aims to provide a good measure of password complexity for websites to use both for giving hints to users in the form of strength bars, and for casually enforcing a minimum complexity for security reasons.

Note: I use the term 'casually' because this is only client-side validation and anyone could turn it off. I recommend implementing a minimum length check server-side as well. In the future I may code up this algorithm for use server-side.

Complexity Rating

Complexify's default settings will enforce a minimum level of complexity that would mean brute-forcing should take ~600 years on a commodity desktop machine. The 'perfect' password used to scale the complexity percentage would take 3x10^33 years. These are equivalent to a 12 character password with uppercase, lowercase and numbers included, and a 25 character password with uppercase, lowercase, numbers and a wide range of punctuation.


Complexify supports Unicode and will add appropriate complexity for the size of character set included in a password.

For example, as there are 96 Hiragana characters defined in the Unicode specification, including one of these will increase the brute-force complexity by 96.

The rationale behind this is that in an attacker were wanting to include Japanese passwords in his attack, he/she may choose to include the Hiragana set in his/her attack, but not the Katakana set. Complexify divides Unicode into 94 appropriately grouped sets.

Try it out:


How do I use it?

Complexify is a jQuery plugin, so you will already need to have jQuery included on your page. Other than this, just include the file in your page like this:

The valid argument passed to your callback function is a boolean that indicates whether the password met the minimum number of password characters and the minimum level of complexity. The complexity argument is a percentage where 100% represents a 'perfect' password of 25 characters containing one element from each available character set.

The options are the minimumChars that the password must have to be valid, which defaults to 8, and the strengthScaleFactor which will be applied during complexity calculation to raise or lower the complexity required to be valid. This defaults to 1.

What Complexify doesn't do:

  1. It does not take into account possible dictionary attacking of passwords. However most passwords vulnerable to this method are relatively short and contain only letters, making them score fairly weakly on this test anyway.
  2. It's still just client-side validation. If someone wants to bypass this they can, I recommend implementing a check for the minimum length on the server, but I am considering making a complementary server-side library that will enable developers to have a consistent policy set up throughout their service.

Complexify Ports

As Complexify is only client-side, for it to be truly useful some server-side validation is also needed. The following ports have been made to different environments:

Version History

0.2 - Unicode support
Note: most passwords using punctuation will score slightly lower as the punctuation set has been split into multiple sets.

0.1 - Basic implementation

Usage Notes

If you wish to use Complexify, grab a copy from GitHub, or even just this site, but please don't hotlink to the script hosted here. Hotlinking to scripts from untrusted sources is a security risk.

DownloadFork and Watch on Github