How to Make a Password Strength Meter Like Google

2007 June 27

pass_strength.pngPassword strength meters are becoming more and more popular amongst web services. Google uses one when creating a Google account. One can argue how useful these meters really are, but non-the-less they are fairly cool for users. So how does one go about making one of these meters? Well it’s fairly straight forward.

The basic break down is we add an event handler on your password field that will check the password for every key input the user types. This allows for an updated meter as the user types the password. When you get into the algorithm that actually checks how secure a password is, there are many routes you can go. When researching for this project, I chose to base my code off of the kind folks over at Intelligent Web. There theory is to calculate how many different combinations there are for the password you enter, then determine how many days it would take to crack your password. The algorithm returns a percentage that we then in turn convert to a nice GUI for the end user to see. So let’s take a look at the code:

The JavaScript is fairly straight forward. There are settings at the top for different checks to enable or disable. Here is the JavaScript:

[ftf]
// Password strength meter v1.0
// Matthew R. Miller - 2007
// www.codeandcoffee.com
// Based off of code from http://www.intelligent-web.co.uk

// Settings
// — Toggle to true or false, if you want to change what is checked in the password
var bCheckNumbers = true;
var bCheckUpperCase = true;
var bCheckLowerCase = true;
var bCheckPunctuation = true;
var nPasswordLifetime = 365;

// Check password
function checkPassword(strPassword)
{
// Reset combination count
nCombinations = 0;

// Check numbers
if (bCheckNumbers)
{
strCheck = “0123456789″;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}

// Check upper case
if (bCheckUpperCase)
{
strCheck = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}

// Check lower case
if (bCheckLowerCase)
{
strCheck = “abcdefghijklmnopqrstuvwxyz”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}

// Check punctuation
if (bCheckPunctuation)
{
strCheck = “;:-_=+\|//?^&!.@$£#*()%~<>{}[]“;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}

// Calculate
// — 500 tries per second => minutes
var nDays = ((Math.pow(nCombinations, strPassword.length) / 500) / 2) / 86400;

// Number of days out of password lifetime setting
var nPerc = nDays / nPasswordLifetime;

return nPerc;
}

// Runs password through check and then updates GUI
function runPassword(strPassword, strFieldID)
{
// Check password
nPerc = checkPassword(strPassword);

// Get controls
var ctlBar = document.getElementById(strFieldID + “_bar”);
var ctlText = document.getElementById(strFieldID + “_text”);
if (!ctlBar || !ctlText)
return;

// Set new width
var nRound = Math.round(nPerc * 100);
if (nRound < (strPassword.length * 5))
{
nRound += strPassword.length * 5;
}
if (nRound > 100)
nRound = 100;
ctlBar.style.width = nRound + “%”;

// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
ctlBar.style.backgroundColor = strColor;
ctlText.innerHTML = “” + strText + ““;
}

// Checks a string for a list of characters
function doesContain(strPassword, strCheck)
{
nCount = 0;

for (i = 0; i < strPassword.length; i++)
{
if (strCheck.indexOf(strPassword.charAt(i)) > -1)
{
nCount++;
}
}

return nCount;
}
[/ftf]

On the HTML side, I have setup a simple form to display the interaction the user will receive.

[ftf]

Password Strength Meter - Demo

Password:

Password Strength:

[/ftf]

The magic lies inside the event handler I spoke about above. The “onkeyup” event passes the current password, and the ID for this input item. The ID is used to reference the below div tags that show the strength meter and text. The ID allows for you to have more than one password meter per form, per page.

[ftf]

[/ftf]The algorithm can be enhanced if you wish to get more complicated with the strength checking. One can also adjust the colors and text for the various strength levels displayed to the user.

[ftf]

// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
[/ftf]

Further features could be displaying when a user has not entered a valid password, for example not a long enough length.

Here is a demo of the above code, and download links so you can implement this into your sign up pages. Enjoy!

Password Strength Meter - Demo

Password:

Password Strength:

Right Click to Download:

pwd_strength.js

demo.html

Category → Code Snippets, Development, How To, Security, Tools and Services, Web Design

73 Comments
2007 June 27
Actos permalink

Very nice post, really, go on!

2007 June 28
Paul permalink

Nice article. I can see a lot of uses for this.
However, I think I’m going to have to look for another algorithm.

The password “password” shows as “very secure” ;-)

2007 June 28
diogo permalink

it seems that the level of security is measured only by the size of the password. dictionary words long enough evaluate to “very secure”…

2007 June 29
WebGyver permalink

WOW! This is awesome. Thank you very much for sharing this kind of quality content with the rest of us.

I’m planning on implementing this within the next little while, and if I can contribute any improvements (perhaps to the GUI), I will let you know.

Man, please keep it coming.

WebGyver
http://www.webgyver.info
====================================
Tools and Resources for Successful Web Design,
Web Development, Web Applications and
Web Business Marketing

2007 June 30
Script Artists | Password Strength Meter per JS permalink

[...] How to Make a Password Strength Meter Like Google zeigt wie man im Registrierungsprozess grafisch die Stärke eines Passworts anzeigt. « Links für Entwickler [...]

Pingback
2007 June 30
The Programming and Management Blog » Developer Links for 30/06/2007 permalink

[...] How to make a password Strength Meter like Google If you have not seen googles example of a password strength meter then this is still worth looking at. Good way to encourage your users to improve their password strength. [...]

Pingback
2007 June 30
stell permalink

you call a password called “password” secure? this needs to use a common password filter.

2007 July 3
John permalink

Cool idea but lame results. The javascript is there to check for alpha, numeric, upper, lower and punctuation in a password but it obviously doesn’t actually check for those elements. Just password length.

2007 July 3
Matthew R. Miller permalink

As stated above, this a proof of concept. I will work on making the algorithm better here in the near future.

2007 July 7
kid permalink

The algorithm is the heart of script. Without a good one, the whole program is useless.

2007 July 7
Matthew R. Miller permalink

kid,

That’s not entirely true.. this is a proof of concept… it is not meant to be a drop in solution.

2007 July 16
How to Make a Password Strength Meter Like Google v2.0 - Code and Coffee permalink

[...] in Part 1 of How to Make a Password Strength Meter Like Google I went over the basics on how to get a password strength meter up and running on your site. I got a [...]

Pingback
2007 July 18
Crear un indicador de contraseñas seguras al estilo Google | aNieto2K permalink

[...] Hace unos días vimos como desde Sentido Web montaban un sistema que nos permitía integrar un indicador de calidad de la contraseña que vas introduciendo en el mismo inputbox en el que introducimos la contraseña. Y hoy via Digg, encuentro este artículo en el que nos muestras una forma de emular el sistema que usa Google para controla la calidad de la contraseña. [...]

Pingback
2007 July 18
Joel permalink

Haha, the password “password” turns out to be “very secure”. Try harder next time.

2007 July 18
Dixon permalink

I’m always a little sceptical of sites that “look” at my passwords. I know my password is good. What I don’t know is if a site is storing it in plain text or otherwise exposing it to the outside world. If I see something like this I’m not going to enter my good password (I memorize about one strong password at a time and use it for sensitive systems. I don’t have room in my noggin for more than one and writing passwords down is the fastest way to have a password burned) so I’ll enter an easy to remember (and crack) password.

But that’s just me an I’m a humungus nerd. For those less well endowed in the geek department, I’m sure these meters make them feal better.

2007 July 18
JSer permalink

Cool idea. Don’t listen to party pooper. I’m sure you can implement a better algorithm in an evening.

2007 July 18
Jonathan permalink

Good idea, needs to check the password against dictionary etc. Once you do that you’ll want to implement the check server-side, as otherwise your Javascript will get too big.

2007 July 18
M permalink

Surely “password” shouldn’t be categorised as “Very Secure”

2007 July 18
M permalink

Surely “password” shouldn’t be categorised as “Very Secure”, sorry submitted to early. However - a list of completely banned words can simply be added to check against, but obviously checking this list could become long, something clever with a better bigO search profile would be quite cute.

However the basics in the demo will be very useful as a starting block to make a gorgeous addition to any interface where setting up a user and password is needed, I’m also considering adding it to a letter counter in an app that has users entering free text so they know when they’re approaching the limit of the paper the form will eventually be printed on.

2007 July 18
Matthew R. Miller permalink

There is a new version available at: http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/

2007 July 18
SearchRoads » erotic jetsons How to Make a Password Strength Meter Like Google permalink

[...] making one of these meters? Well it’s fairly straight forward. flintsones and jetsons gangbangread more | digg [...]

Pingback
2007 July 18
sumeet wadhwa permalink

just add a combination of alphabets and numbers it it becomes ‘very secure’!!

2007 July 18
Stephen permalink

Excellent and informative blog post but the results need a bit more work. By the measure of this strength checker my password: “11111111111111″ is just as strong as “3rc$£$342c82@” which is not true. A proper checker would have to look at things like dictionary words and repetition / simple patterns.

2007 July 18
A permalink

Is this a joke, or are you retarded?

2007 July 18
Chris permalink

I just used password in as the password and it told me it was very secure….problem?

2007 July 18
qwerty permalink

How good can it be if the password “password” scores “very secure?”

2007 July 18
Cartoons Fans Lounge permalink

[...] one go about making one of these meters? Well it’s fairly straight forward. X Men comic booksread more | digg story RSS feed for comments on this post. TrackBack URI Cartoons Fans Lounge [...]

Pingback
2007 July 18
dxblogger permalink

great..maybe I should try one…:)

2007 July 18
zan permalink

Even “aaaaaaaaa” scores as secure.

2007 July 18
Michael permalink

Ugh, the way you don’t indent your code makes me want to puke.

2007 July 18
Password Strength Meter | Harinish Technology permalink

[...] More Details (No Ratings Yet) [...]

Pingback
2007 July 18
Bejron permalink

The algorithm sucks imho.
All this does is lure users into a false sense of security. “12345678901″ is classified as “Very Secure”.

You have to take ALL variables into account, not just one..

2007 July 18
I Only Wish » Blog Archive » How to Make a Password Strength Meter Like Google permalink

[...] read more | digg story [...]

Pingback
2007 July 18
links for 2007-07-19 « Jack The Programmer permalink

[...] How to Make a Password Strength Meter Like Google - Code and Coffee (tags: javascript password) [...]

Pingback
2007 July 18
ceee permalink

Well it’s been said 30 times already but the algorithm is horrible, though the javascript is cool if given the right security measures.

“1111111111″ and “password” are not very secure in any environment.

I’d love to see a rework of the php though…

2007 July 19
Andy permalink

Google uses a Dictionary along with checking all the above (uppercase & lowercase, numbers, etc…) for validating password strength.

2007 July 19
marc permalink

Unfortunately the demo rated the password “changeme” as “very secure”. It’s a fun article, but as others have pointed out, it might be good to point out the heuristics involved.

2007 July 19
chris permalink

A password of “aaaaaaaaaaaaaaaaaa” gives a result of very secure, wouldn’t it be better to measure the entropy of a password through chi square analysis etc.?

2007 July 19
Ole permalink

Well, how simple is it to brute force “aaaaaaaaaaaaaaaaaa” if the passwords are stored with a salt and sha256? A simple check to see if all the chars are the same could be usefull to stop the most emo users from doing this.

A requirement for “very secure” could be char, number and special char in the password ;)
E.g. “.aSSw0rp” would be a way better password then “password” and not that much harder to remember even for grandma ;)

2007 July 19
fizz permalink

This is gay, i put in “howsthis” and it said it was very secure? wtf…

2007 July 19
Ole permalink

There is a version 2.0 of this script that has a better way of rating implemented. http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/

2007 July 19
Prime News Blog » Blog Archive » xmen hentai comics How to Make a Password Strength Meter Like Google permalink

[...] one of these meters? Well it’s fairly straight forward. xmen fanfiction rogue cyclops sarahread more | digg [...]

Pingback
2007 July 19
Javascript : А Ваш пароль крутой? « О PHP и о жизни… permalink

[...] Как сделать индикатор сложности пароля? Вот такой? Вот так. Или [...]

Pingback
2007 July 19
links for 2007-07-19 « toonz permalink

[...] How to Make a Password Strength Meter Like Google - Code and Coffee (tags: javascript password security tools) [...]

Pingback
2007 July 19
Timmy permalink

Maybe it would be better to set it like
that on line 64:
if (strPassword.length 0)

2007 July 19
links for 2007-07-20 « Cui’s Weblog permalink

[...] How to Make a Password Strength Meter Like Google - Code and Coffee (tags: code javascript password howto ajax) Posted by allencui Filed in bookmarks [...]

Pingback
2007 July 20
Trae Regan » Blog Archive » How to Make a Password Strength Meter Like Google permalink

[...] http://www.codeandcoffee.com/2007/06/27/how-to-make-a-password-strength-meter-like-google/ [...]

Pingback
2007 July 20
links for 2007-07-20 | apt-get install permalink

[...] How to Make a Password Strength Meter Like Google - Code and Coffee Password strength meters are becoming more and more popular amongst web services. Google uses one when creating a Google account. One can argue how useful these meters really are, but non-the-less they are fairly cool for users. So how does one go about m (tags: javascript password webdev programming tips tools code) [...]

Pingback
2007 July 20
dev2 - webfejlesztés » Tikkasztó meleghez: CSS, JS, web2.0 permalink

[...] egy jelszó erősség mérőnk is js-ben, amivel például regisztrációkor tudjuk tudatni a felhasználóval, hogy mennyire [...]

Pingback
2007 July 20
sz-iris permalink

It’s useless!
I typed “ddddddd”,it display “Very Secure”,do you think the “dddddddd” password is secure?
NO!
So it’s no use at all,and may mislead the user.

2007 July 20
links for 2007-07-20 « nan tak (kalah) penting permalink

[...] How to Make a Password Strength Meter Like Google - Code and Coffee Javascript sederhana untuk membuat ukuran kekuatan kata sandi. (tags: javascript) [...]

Pingback
2007 July 20
tech.twomadgeeks.com » Blog Archive » How to Make a Password Strength Meter permalink

[...] Link: Code and Coffee [...]

Pingback
2007 July 21
marka buku 2007-07-20 « nan tak (kalah) penting permalink

[...] How to Make a Password Strength Meter Like Google - Code and CoffeeJavascript sederhana untuk membuat ukuran kekuatan kata sandi.(tags: javascript) [...]

Pingback
2007 July 21
Arun permalink

it’s very helpfull i need it in my app

Thanx

2007 July 23
yongfook permalink

poor script. attaching an arbitrary rating depending on the amount of numbers or letters is a bad way of determining password strength. as others have posted, under this system “password” is a very secure password. As is “11111111111″.

This script could be improved greatly by checking that the string does not include repeated characters and putting in an AJAX call that runs a cross-check against a dictionary to weed out real words.

But, as others have said, the script provides a base at least for others to build upon, so kudos for that.

2007 July 23
Matthew R. Miller permalink

Comments closed as there is a new version available at:

http://www.codeandcoffee.com/2007/07/16/how-to-make-a-password-strength-meter-like-google-v20/

2007 July 24
Medidor de nivel de seguridad de passwords - Fernando Gomez permalink

[...] Instalarlo es muy sencillo. Tienes disponible el código fuente y ejemplos en Code and Cofee. [...]

Pingback
2007 August 3
suelz0mat.de » Wie stark ist mein Passwort? permalink

[...] und signalisiert wie gut das eingetippte Passwort ist. Matthew R. Miller hat in seinem Blog ein kleines Script vorgestellt das genau dieses Verhalten nachahmt, natürlich ist das Script etwas [...]

Pingback
2007 August 4
How to Make a Password Strength Meter Like Google permalink

[...] users. So how does one go about making one of these meters? Well it’s fairly straight forward.read more | digg [...]

Pingback
2007 August 6
Password sicure in javascript « Cosa importa se…. permalink

[...] dover controllare che la password che l’utente si crea, sia sicura oltre  che valida.Questo post, preso dal [...]

Pingback
2007 August 9
Benjamin Diolez .:. MicroBlog » Script Javascript : Indiquer la sécurité d'un mot de passe permalink

[...] Script [...]

Pingback
2007 August 9
AOWS » Archivo » How to make a password strength meter like Google permalink

[...] How to make a password strength meter like Google: interesante javascript con el que medir la calidad de las contraseñas. none [...]

Pingback
2007 August 9
FileIdeas.com» Blog Archive » Ajax Password Strength Meter permalink

[...] Password Strength Meters are becoming more and more popular amongst web services. Google uses one when creating a Google account. The password strength meters wil be updated for every key input the user types. So how does one go about making one of these meters? Code and Coffee created one for us, it calculates how many different combinations there are for the password you enter, then determine how many days it would take to crack your password. The algorithm returns a percentage that he then in turn convert to a nice GUI for the end user to see. Requirements: Modern Browser with Javascript Enabled Demo: http://www.codeandcoffee.com/wp-content/uploads/demo.html License: License Free [...]

Pingback
2007 August 9
Ajax Powered Password Strength Meter » Jeffro2pt0.com permalink

[...] Code and Coffee has released the javascript file along with the demo.html page that you would need, to add one of these password meters to your site or service. There is also a detailed explanation as to how to the code works which can be read, by clicking here. [...]

Pingback
2007 August 9
  How to Make a Password Strength Meter Like Google by PHP Dots permalink

[...] http://www.codeandcoffee.com/ [...]

Pingback
2007 August 15
Misurare l’efficacia di una password con Javascript : sastgroup.com permalink

[...] volete creare qualcosa di simile per il vostro sito, trovate in questo tutorial tutto quello che vi occorre, compreso codice Javascript da scaricare e usare [...]

Pingback
2007 August 27
Incest Young Gay Porn permalink

Incest Young Gay Porn…

Sorry, it just sounds like a crazy idea for me :)…

Trackback
2007 September 12
How to Make a Password Strength Meter Like Google « Resistance is futile permalink

[...] How to Make a Password Strength Meter Like Google link [...]

Pingback
2007 October 5
How to Make a Password Strength Meter Like Google « Programming News permalink

[...] read more | digg story [...]

Pingback
2007 October 17
Persian Developer » بهترین های مهر permalink

[...] How to Make a Password Strength Meter Like Google [...]

Pingback
2007 October 24
My Hobby is Programming » Blog Archive » How to Make a Password Strength Meter Like Google permalink

[...] read more | digg story [...]

Pingback
2007 November 18
Top 100 AJAX ‘form’ related scripts for 2007 | Nobox Media permalink

[...] Password strength meter [...]

Pingback
2007 December 3
Doontime - Freelance web designer » Blog Archive » Top 100 AJAX form scripts for 2007 permalink

[...] Password strength meter [...]

Pingback

Comments are closed for this entry.