zxcvbn-typescript

v5.0.1

realistic password strength estimation, updated and ported to Typescript from Dan Wheeler's zxcvbn For more information about how to use this package see README

Latest version published 3 years ago

License: MIT

NPM

GitHub

Package Health Score

48 / 100

security
No known security issues
popularity
Small
maintenance
Inactive
community
Limited

Explore Similar Packages

Security

No known security issues

All security vulnerabilities belong to production dependencies of direct and indirect packages.

Security and license risk for significant versions

All Versions

Version				Vulnerabilities	License Risk
5.0.1	\|	02/2021	Popular	0 C 0 H 0 M 0 L	0 H 0 M 0 L

License

MIT

Security Policy

Is your project affected by vulnerabilities?

Scan your projects for vulnerabilities. Fix quickly with automated fixes. Get started with Snyk for free.

Get started free

Popularity

Small

Weekly Downloads (2,023)

GitHub Stars: 13
Forks: 1
Contributors: 30

Direct Usage Popularity

The npm package zxcvbn-typescript receives a total of 2,023 downloads a week. As such, we scored zxcvbn-typescript popularity level to be Small.

Based on project statistics from the GitHub repository for the npm package zxcvbn-typescript, we found that it has been starred 13 times.

Downloads are calculated as moving averages for a period of the last 12 months, excluding weekends and known missing data points.

Community

Limited

Readme.md: Yes
Contributing.md: No
Code of Conduct: No
Contributors: 30
Funding: No

With more than 10 contributors for the zxcvbn-typescript repository, this is possibly a sign for a growing and inviting community.

We found a way for you to contribute to the project! Looks like zxcvbn-typescript is missing a Code of Conduct.

Embed Package Health Score Badge

Maintenance

Inactive

Commit Frequency

No Recent Commits

Open Issues: 2
Open PR: 10
Last Release: 3 years ago
Last Commit: 2 years ago

Further analysis of the maintenance status of zxcvbn-typescript based on released npm versions cadence, the repository activity, and other data points determined that its maintenance is Inactive.

An important project maintenance signal to consider for zxcvbn-typescript is that it hasn't seen any new versions released to npm in the past 12 months, and could be considered as a discontinued project, or that which receives low attention from its maintainers.

In the past month we didn't find any pull request activity or change in issues status has been detected for the GitHub repository.

Keep your project healthy

Check your package.json

Ensure all the packages you're using are healthy and well-maintained

Snyk Vulnerability Scanner

Get health score & security insights directly in your IDE

Package

Node.js Compatibility: not defined

Age: 4 years
Dependencies: 0 Direct
Versions: 9
Install Size: 1.79 MB
Dist-tags: 1
# of Files: 93
Maintainers: 1
TS Typings: Yes

zxcvbn-typescript has more than a single and default latest tag published for the npm package. This means, there may be other tags available for this package, such as next to indicate future releases, or stable to indicate stable releases.

Readme

_________________________________________________/\/\___________________
_/\/\/\/\/\__/\/\__/\/\____/\/\/\/\__/\/\__/\/\__/\/\________/\/\/\/\___
_____/\/\______/\/\/\____/\/\________/\/\__/\/\__/\/\/\/\____/\/\__/\/\_
___/\/\________/\/\/\____/\/\__________/\/\/\____/\/\__/\/\__/\/\__/\/\_
_/\/\/\/\/\__/\/\__/\/\____/\/\/\/\______/\______/\/\/\/\____/\/\__/\/\_
________________________________________________________________________

This is a Typescript port of Dropbox's zxcvbn library.

zxcvbn-typescript is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Consider using zxcvbn-typescript as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords.

For further detail and motivation, please refer to the USENIX Security '16 paper and presentation.

Installation

npm install zxcvbn

yarn install zxcvbn

Browserify / Webpack

Bundling zxcvbn-typescript into your website using tools like browserify and webpack is unwise. It is large, you likely only need it on a couple of pages (registration, password reset), and you likely don't need it immediately. If you are using browserify, consider using dynamic imports and configuring your bundler to allow lazy loading.

Usage

try zxcvbn interactively to see these docs in action.

zxcvbn(password, user_inputs=[])

zxcvbn() takes one required argument, a password, and returns a result object with several properties:

{
  guesses : number, // estimated guesses needed to crack password
  guesses_log10 : number, // order of magnitude of guesses

  crack_times_seconds : // dictionary of back-of-the-envelope crack time estimations, in seconds, based on a few scenarios:
  {
    // online attack on a service that ratelimits password auth attempts.
    online_throttling_100_per_hour : number,

    // online attack on a service that doesn't ratelimit, or where an attacker has outsmarted ratelimiting.
    online_no_throttling_10_per_second : number,

    // offline attack. assumes multiple attackers,  proper user-unique salting, and a slow hash function
    // w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.
    offline_slow_hashing_1e4_per_second : number,

    // offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5. A wide range of
    // reasonable numbers anywhere from one billion - one trillion  guesses per second, depending on number of cores 
    // and machines. ballparking at 10B/sec.
    offline_fast_hashing_1e10_per_second : number,
  },
  crack_times_display, // same keys as result.crack_times_seconds, with friendlier display string values: "less than a second", "3 hours", "centuries", etc.
  score : number,      // Integer from 0-4 (useful for implementing a strength bar)
                       // 0 - too guessable: risky password. (guesses &lt; 10^3)
                       // 1 - very guessable: protection from throttled online attacks. (guesses &lt; 10^6)
                       // 2 - somewhat guessable: protection from unthrottled online attacks. (guesses &lt; 10^8)
                       // 3 - safely unguessable: moderate protection from offline slow-hash scenario. (guesses &lt; 10^10)
                       // 4 - very unguessable: strong protection from offline slow-hash scenario. (guesses &gt;= 10^10)
  feedback : // verbal feedback to help choose better passwords. set when score &lt;= 2.
  {
    warning : string, // explains what's wrong, eg. 'this is a top-10 common password'.  Not always set -- sometimes an empty string
    suggestions : string[],  // a possibly-empty list of suggestions to help choose a less guessable password. eg. 'Add another word or two'
  },
  sequence : [], // the list of patterns that zxcvbn-typescript based the guess calculation on.
  calc_time : number // how long it took zxcvbn-typescript to calculate an answer in milliseconds.
}

The optional user_inputs argument is an array of strings that zxcvbn-typescript will treat as an extra dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes a user's personal information can be heavily penalized. This list is also good for site-specific vocabulary — Acme Brick Co. might want to include ['acme', 'brick', 'acmebrick', etc].

Performance

runtime latency

zxcvbn operates below human perception of delay for most input: ~5-20ms for ~25 char passwords on modern browsers/CPUs, ~100ms for passwords around 100 characters. To bound runtime latency for really long passwords, consider sending zxcvbn() only the first 100 characters or so of user input.

Development

Bug reports and pull requests welcome!

zxcvbn-typescript is built with TypeScript, browserify, and uglify-js. Source lives in src, which gets compiled, bundled and minified into dist/zxcvbn.js.

Two source files, adjacency_graphs.ts and frequency_lists.ts, are generated by python scripts in data-scripts that read raw data from the data directory.

For node developers, in addition to dist, the zxcvbn npm module includes a lib directory (hidden from git) that includes one compiled .js and .js.map file for every .ts in src. The type definitions produced by Typescript are there as well.

Acknowledgments

Dan Wheeler for the initial zxcvbn project. Dropbox for supporting open source!

Mark Burnett for releasing his 10M password corpus and for his 2005 book, Perfect Passwords: Selection, Protection, Authentication.

Wiktionary contributors for building a frequency list of English words as used in television and movies.

Researchers at Concordia University for studying password estimation rigorously and recommending zxcvbn.

And xkcd for the inspiration 👍🐴🔋❤️

FAQs

What is zxcvbn-typescript?

realistic password strength estimation, updated and ported to Typescript from Dan Wheeler's zxcvbn. Visit Snyk Advisor to see a full health score report for zxcvbn-typescript, including popularity, security, maintenance & community analysis.

Is zxcvbn-typescript popular?

The npm package zxcvbn-typescript receives a total of 2,023 weekly downloads. As such, zxcvbn-typescript popularity was classified as small. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is zxcvbn-typescript well maintained?

We found indications that zxcvbn-typescript is an Inactive project. See the full package health analysis to learn more about the package maintenance status.

Is zxcvbn-typescript safe to use?

The npm package zxcvbn-typescript was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 22 April-2024, at 18:59 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP