Websites have a responsibility to accurately inform users of password strength, both to better secure data, and to educate about users of what constitutes a good password.
Complexify aims to provide a good measure of password complexity for websites to use both for giving hints to users in the form of strength bars, and for casually enforcing a minimum complexity for security reasons.
This plugin only provides client-side validation, and should be combined with some server-side sanity checking. If you want a full-blown Complexify implementation for the server, check out the list of ports.
Complexify is implemented as a jQuery function that can be called on input fields. The function takes options and a callback that will be called with the results of the validation.
valid argument passed to your callback function is a boolean that indicates whether the password met the minimum level of complexity. The complexity argument is a percentage where 100% represents a 'very good' password (approximately 25 random characters).
For details about the extra options that can be included to customise the behaviour of Complexify, see the documentation below.
jQuery must be included on the page before Complexify.
How it works
Complexify's default settings will enforce a minimum level of complexity that would mean brute-forcing should take ~600 years on a commodity desktop machine. The 'perfect' password used to scale the complexity percentage would take 3x10^33 years. These are equivalent to a 12 character password with uppercase, lowercase and numbers included, and a 25 character password with uppercase, lowercase, numbers and a wide range of punctuation.
Complexify supports Unicode and will add appropriate complexity for the size of character set included in a password.
For example, as there are 96 Hiragana characters defined in the Unicode specification, including one of these will increase the brute-force complexity by 96.
The rationale behind this is that in an attacker were wanting to include Japanese passwords in his attack, he/she may choose to include the Hiragana set in his/her attack, but not the Katakana set. Complexify divides Unicode into 94 appropriately grouped sets.
The following options can be passed into the Complexify initialiser to customise its behaviour.
A list of passwords that will always return 0% complexity. This can also be achieved by setting a gloabl variable
The minimum number of characters that the password must have in order to be valid. Defaults to 8.
This is a scale factor applied to the calculated password strength. It can be used to increase the strength of passwords required. Defaults to 1.
strict: If a password is contained in the banned list, or contained in any item of the banned list, the password will fail. This means that "123456" will fail as it is in the banned list, but "123" and "345" will also fail as they are substrings of a password in the list.
loose: If a password exactly matches one in the banned list, the password will fail.
Several people have kindly open-sourced their implementations of this algorithm for other platforms:
- 0.3.1 - Improved event binding, Bower support.
- 0.3 - Banned password list support, better event binding.
- 0.2 - Unicode support.
- 0.1 - First release.