Websites have a responsibility to users to accurately tell them how good a password is, and this is not an easy job.
Complexify aims to provide a good measure of password complexity for websites to use both for giving hints to users in the form of strength bars, and for casually enforcing a minimum complexity for security reasons.
Note: I use the term 'casually' because this is only client-side validation and anyone could turn it off. I recommend implementing a minimum length check server-side as well. In the future I may code up this algorithm for use server-side.
Complexify's default settings will enforce a minimum level of complexity that would mean brute-forcing should take ~600 years on a commodity desktop machine. The 'perfect' password used to scale the complexity percentage would take 3x10^33 years. These are equivalent to a 12 character password with uppercase, lowercase and numbers included, and a 25 character password with uppercase, lowercase, numbers and a wide range of punctuation.
Complexify supports Unicode and will add appropriate complexity for the size of character set included in a password.
For example, as there are 96 Hiragana characters defined in the Unicode specification, including one of these will increase the brute-force complexity by 96.
The rationale behind this is that in an attacker were wanting to include Japanese passwords in his attack, he/she may choose to include the Hiragana set in his/her attack, but not the Katakana set. Complexify divides Unicode into 94 appropriately grouped sets.
Complexify is a jQuery plugin, so you will already need to have jQuery included on your page. Other than this, just include the file in your page like this:
valid argument passed to your callback function is a boolean that indicates whether the password met the minimum number of password characters and the minimum level of complexity. The
complexity argument is a percentage where 100% represents a 'perfect' password of 25 characters containing one element from each available character set.
The options are the
minimumChars that the password must have to be valid, which defaults to 8, and the
strengthScaleFactor which will be applied during complexity calculation to raise or lower the complexity required to be valid. This defaults to 1.
As Complexify is only client-side, for it to be truly useful some server-side validation is also needed. The following ports have been made to different environments:
0.2 - Unicode support
Note: most passwords using punctuation will score slightly lower as the punctuation set has been split into multiple sets.
0.1 - Basic implementation
If you wish to use Complexify, grab a copy from GitHub, or even just this site, but please don't hotlink to the script hosted here. Hotlinking to scripts from untrusted sources is a security risk.Download — Fork and Watch on Github