Analysis and implementation of password strength detection algorithm based on rule scoring (JavaScript)

Jianyan

Use regular expression to do user password strength of passing judgment, too simple rough, not only user experience is poor, and user account security is poor. So how to accurately evaluate the strength of user passwords, to protect user account security? This paper analyzes and introduces several algorithms of password strength detection based on rule scoring, and gives the corresponding demonstration program. According to the security needs of their projects, we can do the best for their own options.

1 Scenario 1 (Simple)

Program 1 algorithm through the analysis of the password composition, combined with the weight allocation, statistical results of the password strength score. The higher the score, the greater the password strength, and the more secure it is. The idea of Scheme 1 is simple and easy to realize.

1.1 Scenario 1 scoring criteria

First, password length:

• 5 points: less than or equal to 4 characters
• 10 points: 5 to 7 characters
• 25 points: greater than or equal to 8 characters

Second, the letter:

• 0 Points: No letters
• 10 points: all small (Large) write letters
• 20 points: Mixed uppercase and lowercase letters

Third, Number:

• 0 Points: No numbers
• 10 points: 1 digits
• 20 points: greater than 1 digits

Four, the symbol:

• 0 Points: No sign
• 10 points: 1 symbols
• 25 points: more than 1 symbols

Five, reward:

• 2 points: Letters and numbers
• 3 points: Letters, numbers and symbols
• 5 points: Uppercase and lowercase letters, numbers, and symbols

1.2 Scenario 1 Classification

According to the password score, divide the password into the following 7 levels:

• \>= 90: Very safe (very_secure)
• \>= 80: Security (Secure)
• \>= 70: Very strong (Very_strong)
• \>= 60: Strong (strong)
• \>= 50: General (AVERAGE)
• \>= 25: Weak (WEAK)
• \>= 0: Very weak (very_weak)

The grading standard and grading, the actual use, can be small adjustments, but do not recommend big changes.

1.3 Scenario 1 Demo Program

Demo Program

1.4 Scenario 1 Test analysis

// 评分 25，纯小写字母无法通过验证console.log("aaaaaaaa".score());// 评分 45，纯数字无法通过验证console.log("11111111".score());// 评分 47，小写+数字无法通过验证console.log("aa111111".score());// 评分 45，小写+大写无法通过验证console.log("aaaaAAAA".score());// 评分 50，4位密码不可能通过验证console.log("11!!".score());// 评分 70，5位密码可通过验证console.log("0aA!!".score());// 评分 67，小写+大写+数字可通过验证（8位）console.log("aA000000".score());// 评分 70，数字+符号可通过验证console.log("000000!!".score());

From the above test results, we can see that the algorithm is very effective, the basic can ensure that the password has a certain degree of security. But the problem is also obvious, the most important problem is the repetition or continuous character scoring too high. Take the last of the test cases as an example: 000000!! you can get 70 points, but obviously not a very strong password.

In addition, program 1 can get up to 95 points, that is, there is no 100 (absolute security) password, this is also a very intelligent design.

2 Scenario 2

In view of the deficiencies in scenario 1, the reduction mechanism was introduced in Scenario 2. For repeated occurrences, successive occurrences of the character are given the appropriate reduction to make the password score more accurate. At the same time in program 2, the score base and calculation process are very complex, to understand the meaning of each step, please maintain enough patience.

2.1 Programme 2 Plus sub-items

First, password length:

• Formula: + (N*4), where n means password length

Second, capital letters:

• Formula: + ((len-n) * *), where n denotes the number of uppercase letters, Len indicates the length of the password

Three, lowercase letters:

• Formula: + ((len-n) * *), where n is the number of lowercase letters, Len indicates the length of the password

Four, the number:

• Formula: + (N*4), where n indicates number of digits
• Condition: Meet N < Len to get bonus points, Len indicates password length

Five, Symbol:

• Formula: + (N*6), where n denotes the number of symbols

Six, in the middle of the number or symbol:

• Formula: + (n*2), where n indicates the number of numbers or symbols in the middle

VII. Minimum CONDITION score:

• Formula: + (n*2), where n indicates the minimum number of criteria entries to satisfy
• Conditions: only if the minimum conditions are met, the bonus points can be obtained.

The entry for the minimum condition is as follows:

• 1. Password length not less than 8 bits
• 2. Include uppercase letters
• 3. Contains lowercase letters
• 4. Contains numbers
• 5. Include symbols

The minimum requirement satisfies entry 1 and satisfies at least any three of the entry 2-5.

2.2 Programme 2 minus sub-items

One, only letters:

• Formula:-N, where n denotes the number of letters

Second, only the number:

• Formula:-N, where n indicates number of digits

Number of repeated characters (case sensitive):

The description is complex and the calculation method is shown in the following example program:

var pass = "1111aaDD";  //示意密码var repChar = 0;var repCharBonus = 0;  //得分var len = pass.length;for(var i = 0; i < len; i++) {    var exists = false;    for (var j = 0; j < len; j++) {        if (pass[i] == pass[j] && i != j) {            exists = true;            repCharBonus += Math.abs(len/(j-i));        }    }    if (exists) {        repChar++;        var unqChar = len - repChar;        repCharBonus = (unqChar) ? Math.ceil(repCharBonus/unqChar) : Math.ceil(repCharBonus);    }}

Four, consecutive capital letters:

• Formula:-(n*2), where n indicates the number of occurrences of consecutive uppercase letters
• Example: If you enter AUB, the n=2

Five, Continuous lowercase letters:

• Formula:-(n*2), where n indicates the number of occurrences of a continuous lowercase letter
• Example: If you enter AUB, the n=2

Six, consecutive numbers:

• Formula:-(n*2), where n indicates the number of consecutive occurrences of a number
• Example: If you enter 381, the n=2

Seven, positive or reverse letters:

• Formula:-(n*3), where n indicates the number of consecutive occurrences
  • Positive or reverse order refers to the sequence in the alphabet
  • Case insensitive
• Conditions: Only 3 consecutive letters or more, will reduce the score,
• Example 1: If you enter ABC, n=1
• Example 2: If input DCBA, then n=2

Number of positive or reverse order:

• Formula:-(n*3), where n indicates the number of consecutive occurrences
• Condition: only 3 consecutive digits or more will reduce the score.
• Example 1: If input 123, then n=1,
• Example 2: If input 4321, then n=2
• Example 3: If you enter 12, you will not lose points

Nine, positive or reverse order symbols:

• Formula:-(n*3), where n indicates the number of consecutive occurrences
• Conditions: only 3 consecutive symbols or more, will reduce the score

2.3 Scenario 2 Classification

According to the password score, divide the password into the following 5 levels:

• \>= 80: Very strong (Very_strong)
• \>= 60: Strong (strong)
• \>= 40: Good (good)
• \>= 20: Weak (WEAK)
• \>= 0: Very weak (very_weak)

2.4 Scenario 2 Demo Program

Demo Program

2.5 Scenario 2 Test analysis

// 评分 0console.log("11111111".score());// 评分 2console.log("aa111111".score());// 评分 38console.log("000000!!".score());// 评分 76console.log("Asdf2468".score());// 评分 76console.log("Mary2468".score());// 评分 60console.log("@dmin246".score());

From the above test, it can be seen that scenario 2 compared to Scenario 1 has a relatively large improvement and promotion, especially for continuous or repetitive characters on excellent performance. However, there are obvious deficiencies in scenario 2, including the inability to recognize the name (Mary), the word (story), the keys attached to the keyboard (ASDF), the l33t (@dmin).

L33T: Refers to the writing of the Latin alphabet into numbers or special symbols. For example, write E 3, a write @, to write 2, for write 4.

3 Brief description of Scenario 3 zxcvbn3.1

In view of the deficiencies in scenario 2, the introduction of scenario 3, further increase the length of password strength. Scenario 3 fully introduces a third-party inspection tool, ZXCVBN.

ZXCVBN is a password strength estimator inspired by password cracking. It uses pattern matching and conservative estimation, presumably to identify about 30K of regular passwords. Mainly based on U.S. census data, wikis, American movies, TV buzzwords, and other common patterns such as dates, repeating characters, sequence characters, keyboard modes and l33t sessions.

From the design idea of the algorithm, this scheme completely kills based on the composition of the statistical analysis method (the first two methods). ZXCVBN supports multiple development languages at the same time. Due to the complexity of its schema and the existence of dictionaries, the current version of Zxcvbn.js is about 800 K.

To understand the project details and algorithms see ZXCVBN official website:

GitHub zxcvbn

3.2 Scenario 3 Demo Program

Demo Program

The above is the three-fat on the password Strength Detection algorithm and program understanding and analysis, the shortcomings are also please make a lot of mistakes!

Original link

Analysis and implementation of password strength detection algorithm based on rule scoring (JavaScript)