zxcvbn4j

This is a Java version of zxcvbn, a password strength estimator originally written in JavaScript and inspired by password cracking tools. It uses pattern matching and conservative estimation to assess the strength of passwords. It can identify and evaluate the strength of over 30,000 common passwords, as well as common names and surnames based on US census data. It also recognizes popular English words from Wikipedia, US television shows, and movies. Additionally, it can detect other common password patterns such as dates, repeated characters (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Related articles:

• Five Algorithms to Measure Real Password Strength

Table of Contents

• Mapping Original to Ported Versions
• Special Features
  • Customize Internal Dictionaries and Keyboards
  • Localize Feedback Messages
  • Default Language Support
  • JIS Keyboard Layout Support
  • Accepting Passwords as CharSequence or String
• Install
• Development
• Usage
  • Basic
  • Strength Properties
  • Customize internal dictionaries and keyboards
    • Use resources on the classpath
    • Use resources get via HTTP
    • Use file resources other than classpath
    • Use all default resources
    • Select from and use default resources
  • Localize feedback messages
    • Localize each feedback
    • Localize each locale
• Requires Java
• Using this library
• Bugs and Feedback
• License

Mapping Original to Ported Versions

| Ported Version | Original zxcvbn Version | |----------------|-----------------------------------------------------------------------| | 1.2.3 - latest | 4.4.2 | | 1.2.1 - 1.2.2 | 4.4.1 | | 1.1.0 - 1.2.0 | 4.4.0 | | 1.0.0 - 1.0.2 | 4.2.0 |

Special Features

Customize Internal Dictionaries and Keyboards

• You can customize the dictionary and keyboard layout used by the measurement algorithm to better suit your specific needs.

Localize Feedback Messages

• zxcvbn4j allows you to localize the default English feedback messages into other languages.

Default Language Support

• English (default)
• Japanese (ja)
• Dutch (nl)
• German (de)
• French (fr)
• Italian (it)
• Spanish (es)
• Portuguese (pt)

JIS Keyboard Layout Support

• zxcvbn4j includes support for the JIS keyboard layout in spatial matching.

Accepting Passwords as CharSequence or String

• This feature provides greater flexibility in the format of the password input.
• It also aims to avoid using Strings for any sensitive intermediate objects, enhancing security.

Install

https://central.sonatype.com/artifact/com.nulab-inc/zxcvbn/1.9.0

Gradle:

compile 'com.nulab-inc:zxcvbn:1.9.0'

Maven:

<dependency>
  <groupId>com.nulab-inc</groupId>
  <artifactId>zxcvbn</artifactId>
  <version>1.9.0</version>
</dependency>

Development

$ git clone https://github.com/nulab/zxcvbn4j.git
$ cd ./zxcvbn4j
$ ./gradlew build    # build
$ ./gradlew test     # test
$ ./gradlew jmh      # benchmark

Usage

Basic

This is also available Android.

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password");

If you want to add your own dictionary, put the keyword list of List <String> type to the second argument.

List<String> sanitizedInputs = new ArrayList();
sanitizedInputs.add("nulab");
sanitizedInputs.add("backlog");
sanitizedInputs.add("cacoo");
sanitizedInputs.add("typetalk");

Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure("This is password", sanitizedInputs);

Strength Properties

The return result is "Strength". It's almost the same as zxcvbn.

# estimated guesses needed to crack password
strength.guesses

# order of magnitude of strength.guesses
strength.guessesLog10

# dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios
strength.crackTimeSeconds
{
  # online attack on a service that ratelimits password auth attempts.
  onlineThrottling100PerHour

  # online attack on a service that doesn't ratelimit,
  # or where an attacker has outsmarted ratelimiting.
  onlineNoThrottling10PerSecond

  # offline attack. assumes multiple attackers,
  # proper user-unique salting, and a slow hash function
  # w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.
  offlineSlowHashing1e4PerSecond

  # offline attack with user-unique salting but a fast hash
  # function like SHA-1, SHA-256 or MD5. A wide range of
  # reasonable numbers anywhere from one billion - one trillion
  # guesses per second, depending on number of cores and machines.
  # ballparking at 10B/sec.
  offlineFastHashing1e10PerSecond
}

# same keys as result.crack_time_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.
strength.crackTimeDisplay

# Integer from 0-4 (useful for implementing a strength bar)
# 0 Weak        （guesses < 10^3 + 5）
# 1 Fair        （guesses < 10^6 + 5）
# 2 Good        （guesses < 10^8 + 5）
# 3 Strong      （guesses < 10^10 + 5）
# 4 Very strong （guesses >= 10^10 + 5）
strength.score

# verbal feedback to help choose better passwords. set when score <= 2.
strength.feedback
{
  # explains what's wrong, eg. 'this is a top-10 common password'.
  # not always set -- sometimes an empty string
  warning

  # a possibly-empty list of suggestions to help choose a less
  # guessable password. eg. 'Add another word or two'
  suggestions
}

# the list of patterns that zxcvbn based the guess calculation on.
strength.sequence

# how long it took zxcvbn to calculate an answer, in milliseconds.
strength.calc_time

Customize internal dictionaries and keyboards

Zxcvbn can build with ZxcvbnBuilder. ZxcvbnBuilder can customize dictionaries and keyboards used in measurements.

Use resources on the classpath

ClasspathResource can get your own dictionary and keyboard file on the classpath. DictionaryLoader load dictionary file. SlantedKeyboardLoader and AlignedKeyboardLoader load keyboard file.

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("us_tv_and_film", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/dictionarys/us_tv_and_film.txt")).load())
        .keyboard(new SlantedKeyboardLoader("qwerty", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/qwerty.txt")).load())
        .keyboard(new AlignedKeyboardLoader("keypad", new ClasspathResource("/com/nulabinc/zxcvbn/matchers/keyboards/keypad.txt")).load())
        .build();

Use resources get via HTTP

To use dictionary and keyboard files other than the classpath, implement the Resource interface. This code is an example of getting and loading a file via HTTP(s).

URL dictionaryURL = new URL("https://example.com/foo/dictionary.txt");
Resource myDictionaryResource = new MyResourceOverHTTP(dictionaryURL);

URL keyboardURL = new URL("https://example.com/bar/keyboard.txt");
Resource myKeyboardURLResource = new MyResourceOverHTTP(keyboardURL);

Zxcvbn zxcvbn = new ZxcvbnBuilder()
        .dictionary(new DictionaryLoader("my_dictionary", myDictionaryResource).load())
        .keyboard(new SlantedKeyboardLoader("my_keyboard", myKeyboardURLResource).load())
        .build();

public class MyResourceOverHTTP implements Resource {

    private URL url;

    public MyResourceOverHTTP(URL url) {
        this.url = url;
    }

    @Override
    public InputStream getInputStream() throws IOException {
        HttpURLConnection conn = (HttpURLConnection) this.url.openConnection();
        return conn.getInputStream();
    }
}

Use file resources other than classpath

This code is an example of using files in other directories than the classpath.

File dictionaryFile = new File("/home/foo/dictionary