Lightweight password strength checker that enforces a strong password policy.

• >99% smaller than zxcvbn: just 2.0K gzipped, 4.8K minified, 8.7K uncompressed
• Feedback messages for weak passwords
• Familiar API
• Easy to use with React

npm install hardpass --save

# or with yarn

yarn add hardpass

const hardpass = require('hardpass');

hardpass('qwerty123');
/*
{
  score: 0,
  feedback: {
    warning: 'Not complex enough',
    suggestions: [
      'Try adding at least 1 upper case character',
      'Try adding at least 1 special character',
      'Must be at least 10 characters long'
    ]
  }
}
*/

hardpass('Cm;cF*1f5L');
/*
{
  score: 4
}
*/

Inspired by OWASP Proper Password Strenth Controls.

• Password length
  • at least 10 characters
  • at most 128 characters
• Password complexity
  • at least 3 of:
    • at least 1 uppercase character (A-Z)
    • at least 1 lowercase character (a-z)
    • at least 1 digit (0-9)
    • at least 1 special character (punctuation) — !"#$%&'()*+,-./:;<=>?@[\\\]^_\{|}~`
  • not more than 2 identical characters in a row (e.g., 111 not allowed)
• Password topologies
  • Ban commonly used password topologies
• Feedback messages

• Configurable feedback messages
• Configurable password dictionaries

zxcvbn.js bundled and minified is about 400kB gzipped or 820kB uncompressed, most of which is dictionaries.^[link]

We can eliminate the majority of weak passwords by enforcing baseline recommended security policies for strong passwords.

We can prune common password dictionaries to reduce their footprint as well, and provide different configurations for file-size tradeoffs.

MIT © Andrew Krawchyk