password_strength 0.1.0

data/CHANGELOG.rdoc

@@ -0,0 +1,5 @@
+= Changelog
+
+== March 5 2010
+
+* Released 0.1.0 version

data/README.rdoc

@@ -0,0 +1,97 @@
+= Introduction
+
+Validates the strength of a password according to several rules:
+
+* size
+* 3+ numbers
+* 2+ special characters
+* uppercased and downcased letters
+* combination of numbers, letters and symbols
+* password contains username
+* sequences (123, abc, aaa)
+
+Some results:
+
+* <tt>123</tt>: weak
+* <tt>123abc</tt>: weak
+* <tt>aaaaaa</tt>: weak
+* <tt>myPass145</tt>: good
+* <tt>myPass145$</tt>: strong
+
+= Install
+
+  sudo gem install password_strength
+
+If you want the source go to http://github.com/fnando/password_strength
+
+= Usage
+
+  strength = PasswordStrength.test("johndoe", "mypass")
+  #=> return a object
+
+  strength.good?
+  #=> status == :good
+
+  strength.weak?
+  #=> status == :weak
+
+  strength.strong?
+  #=> status == :strong
+
+  strength.status
+  #=> can be :weak, :good, :strong
+
+  strength.valid?(:strong)
+  #=> strength == :strong
+
+  strength.valid?(:good)
+  #=> strength == :good or strength == :strong
+
+= ActiveRecord
+
+The PasswordStrength library comes with ActiveRecord support (tested on AR 2.3.5 and 3.0.0-beta).
+
+  class Person < ActiveRecord::Base
+    validates_strength_of :password
+  end
+
+The default options are <tt>:level => :good, :with => :username</tt>.
+
+If you want to compare your password against other field, you have to set the <tt>:with</tt> option.
+
+  validates_strength_of :password, :with => :email
+
+The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
+
+= JavaScript
+
+The PasswordStrength also implements the algorithm in the JavaScript.
+
+  var strength = PasswordStrength.test("johndoe", "mypass");
+  strength.isGood();
+  strength.isStrong();
+  strength.isWeak();
+  strength.isValid("good");
+
+The API is basically the same!
+
+Get the file: http://github.com/fnando/password_strength/raw/master/lib/password_strength.js
+
+= TO-DO
+
+* Detect repetitions
+* Rake task to get the latest JavaScript file
+
+= License
+
+(The MIT License)
+
+Copyright © 2010:
+
+* Nando Vieira (http://simplesideias.com.br)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ‘Software’), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/password_strength.js

@@ -0,0 +1,194 @@
+var PasswordStrength = function() {
+	var MULTIPLE_NUMBERS_RE = /\d.*?\d.*?\d/;
+	var MULTIPLE_SYMBOLS_RE = /[!@#$%^&*?_~].*?[!@#$%^&*?_~]/;
+	var UPPERCASE_LOWERCASE_RE = /([a-z].*[A-Z])|([A-Z].*[a-z])/;
+	var SYMBOL_RE = /[!@#\$%^&*?_~]/;
+
+	this.username = null;
+	this.password = null;
+	this.score = 0;
+	this.status = null;
+
+	this.test = function() {
+		this.score = 0;
+		this.score += this.scoreFor("password_size");
+		this.score += this.scoreFor("numbers");
+		this.score += this.scoreFor("symbols");
+		this.score += this.scoreFor("uppercase_lowercase");
+		this.score += this.scoreFor("numbers_chars");
+		this.score += this.scoreFor("numbers_symbols");
+		this.score += this.scoreFor("symbols_chars");
+		this.score += this.scoreFor("only_chars");
+		this.score += this.scoreFor("only_numbers");
+		this.score += this.scoreFor("username");
+		this.score += this.scoreFor("sequences");
+
+		if (this.score < 0) {
+			this.score = 0;
+		}
+
+		if (this.score > 100) {
+			this.score = 100;
+		}
+
+		if (this.score < 35) {
+			this.status = "weak";
+		}
+
+		if (this.score >= 35 && this.score < 70) {
+			this.status = "good";
+		}
+
+		if (this.score >= 70) {
+			this.status = "strong";
+		}
+
+		return this.score;
+	};
+
+	this.scoreFor = function(name) {
+		score = 0;
+
+		switch (name) {
+			case "password_size":
+				if (this.password.length < 4) {
+					score = -100;
+				} else {
+					score = this.password.length * 4;
+				}
+				break;
+
+			case "numbers":
+				if (this.password.match(MULTIPLE_NUMBERS_RE)) {
+					score = 5;
+				}
+				break;
+
+			case "symbols":
+				if (this.password.match(MULTIPLE_SYMBOLS_RE)) {
+					score = 5;
+				}
+				break;
+
+			case "uppercase_lowercase":
+				if (this.password.match(UPPERCASE_LOWERCASE_RE)) {
+					score = 10;
+				}
+				break;
+
+			case "numbers_chars":
+				if (this.password.match(/[a-z]/i) && this.password.match(/[0-9]/)) {
+					score = 15;
+				}
+				break;
+
+			case "numbers_symbols":
+				if (this.password.match(/[0-9]/) && this.password.match(SYMBOL_RE)) {
+					score = 15;
+				}
+				break;
+
+			case "symbols_chars":
+				if (this.password.match(/[a-z]/i) && this.password.match(SYMBOL_RE)) {
+					score = 15;
+				}
+				break;
+
+			case "only_chars":
+				if (this.password.match(/^[a-z]+$/i)) {
+					score = -15;
+				}
+				break;
+
+			case "only_numbers":
+				if (this.password.match(/^\d+$/i)) {
+					score = -15;
+				}
+				break;
+
+			case "username":
+				if (this.password == this.username) {
+					score = -100;
+				} else if (this.password.indexOf(this.username) != -1) {
+					score = -15;
+				}
+				break;
+
+			case "sequences":
+				score += -15 * this.detectSequences(this.password);
+				score += -15 * this.detectSequences(this.reversed(this.password));
+				break
+		};
+
+		return score;
+	};
+
+	this.isGood = function() {
+		return this.status == "good";
+	};
+
+	this.isWeak = function() {
+		return this.status == "weak";
+	};
+
+	this.isStrong = function() {
+		return this.status == "strong";
+	};
+
+	this.isValid = function(level) {
+		if(level == "strong") {
+			return this.isStrong();
+		} else if (level == "good") {
+			return this.isStrong() || this.isGood();
+		} else {
+			return true;
+		}
+	};
+
+	this.detectSequences = function(text) {
+		var matches = 0;
+		var sequenceSize = 0;
+		var codes = [];
+		var len = text.length;
+		var previousCode, currentCode;
+
+		for (var i = 0; i < len; i++) {
+			currentCode = text.charCodeAt(i);
+			previousCode = codes[codes.length - 1];
+			codes.push(currentCode);
+
+			if (previousCode) {
+				if (currentCode == previousCode + 1 || previousCode == currentCode) {
+					sequenceSize += 1;
+				} else {
+					sequenceSize = 0;
+				}
+			}
+
+			if (sequenceSize == 2) {
+				matches += 1;
+			}
+		}
+
+		return matches;
+	};
+
+	this.reversed = function(text) {
+		var newText = "";
+		var len = text.length;
+
+		for (var i = len -1; i >= 0; i--) {
+			newText += text.charAt(i);
+		}
+
+		return newText;
+	};
+};
+
+PasswordStrength.test = function(username, password) {
+	strength = new PasswordStrength();
+	strength.username = username;
+	strength.password = password;
+	strength.test();
+	return strength;
+};

data/lib/password_strength.rb

@@ -0,0 +1,17 @@
+require "password_strength/base"
+require "password_strength/active_record"
+
+module PasswordStrength
+  # Test the password strength by applying several rules.
+  # The username is required to match its substring in passwords.
+  #
+  #   strength = PasswordStrength.test("johndoe", "mypass")
+  #   strength.weak?
+  #   #=> true
+  #
+  def self.test(username, password)
+    strength = Base.new(username, password)
+    strength.test
+    strength
+  end
+end

data/lib/password_strength/active_record.rb

@@ -0,0 +1,8 @@
+if defined?(Rails)
+  if Rails.version >= "3"
+    require "active_record"
+    require "password_strength/active_record/ar3"
+  else
+    require "password_strength/active_record/ar2"
+  end
+end

data/lib/password_strength/active_record/ar2.rb

@@ -0,0 +1,34 @@
+module PasswordStrength
+  module ActiveRecord
+    # Validates that the specified attributes are not weak (according to several rules).
+    #
+    #   class Person < ActiveRecord::Base
+    #     validates_strength_of :password
+    #   end
+    #
+    # The default options are <tt>:level => :good, :with => :username</tt>.
+    #
+    # If you want to compare your password against other field, you have to set the <tt>:with</tt> option.
+    #
+    #   validates_strength_of :password, :with => :email
+    #
+    # The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
+    #
+    def validates_strength_of(*attr_names)
+      options = attr_names.extract_options!
+      options.reverse_merge!(:level => :good, :with => :username, :message => "is too weak")
+
+      raise ArgumentError, "The :with option must be supplied" unless options.include?(:with)
+      raise ArgumentError, "The :level option must be one of [:weak, :good, :strong]" unless [:weak, :good, :strong].include?(options[:level])
+
+      validates_each(attr_names, options) do |record, attr_name, value|
+        strength = PasswordStrength.test(record.send(options[:with]), value)
+        record.errors.add(attr_name, :too_weak, :default => options[:message]) unless strength.valid?(options[:level])
+      end
+    end
+  end
+end
+
+class ActiveRecord::Base # :nodoc:
+  extend PasswordStrength::ActiveRecord
+end

data/lib/password_strength/active_record/ar3.rb

@@ -0,0 +1,40 @@
+module ActiveModel # :nodoc:
+  module Validations # :nodoc:
+    class StrengthValidator < EachValidator # :nodoc: all
+      def initialize(options)
+        super(options.reverse_merge(:level => :good, :with => :username, :message => "is too weak"))
+      end
+
+      def validate_each(record, attribute, value)
+        strength = PasswordStrength.test(record.send(options[:with]), value)
+        record.errors.add(attribute, :too_weak, :default => options[:message], :value => value) unless strength.valid?(options[:level])
+      end
+
+      def check_validity!
+        raise ArgumentError, "The :with option must be supplied" unless options.include?(:with)
+        raise ArgumentError, "The :level option must be one of [:weak, :good, :strong]" unless [:weak, :good, :strong].include?(options[:level])
+        super
+      end
+    end
+
+    module ClassMethods
+      # Validates that the specified attributes are not weak (according to several rules).
+      #
+      #   class Person < ActiveRecord::Base
+      #     validates_strength_of :password
+      #   end
+      #
+      # The default options are <tt>:level => :good, :with => :username</tt>.
+      #
+      # If you want to compare your password against other field, you have to set the <tt>:with</tt> option.
+      #
+      #   validates_strength_of :password, :with => :email
+      #
+      # The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
+      #
+      def validates_strength_of(*attr_names)
+        validates_with StrengthValidator, _merge_attributes(attr_names)
+      end
+    end
+  end
+end

data/lib/password_strength/base.rb

@@ -0,0 +1,153 @@
+module PasswordStrength
+  class Base
+    MULTIPLE_NUMBERS_RE = /\d.*?\d.*?\d/
+    MULTIPLE_SYMBOLS_RE = /[!@#\$%^&*?_~-].*?[!@#\$%^&*?_~-]/
+    SYMBOL_RE = /[!@#\$%^&*?_~-]/
+    UPPERCASE_LOWERCASE_RE = /([a-z].*[A-Z])|([A-Z].*[a-z])/
+
+    # Hold the username that will be matched against password
+    attr_accessor :username
+
+    # The password that will be tested
+    attr_accessor :password
+
+    # The score for the latest test. Will be nil if the password has not been tested.
+    attr_reader   :score
+
+    # The current test status. Can be +:weak+, +:good+ or +:strong+
+    attr_reader   :status
+
+    def initialize(username, password)
+      @username = username.to_s
+      @password = password.to_s
+      @score = 0
+    end
+
+    # Check if the password has the specified score.
+    # Level can be +:weak+, +:good+ or +:strong+.
+    def valid?(level)
+      case level
+      when :strong then
+        strong?
+      when :good then
+        good? || strong?
+      else
+        true
+      end
+    end
+
+    # Check if the password has been detected as strong.
+    def strong?
+      status == :strong
+    end
+
+    # Check if the password has been detected as weak.
+    def weak?
+      status == :weak
+    end
+
+    # Check if the password has been detected as good.
+    def good?
+      status == :good
+    end
+
+    # Return the score for the specified rule.
+    # Available rules:
+    #
+    # * :password_size
+    # * :numbers
+    # * :symbols
+    # * :uppercase_lowercase
+    # * :numbers_chars
+    # * :numbers_symbols
+    # * :symbols_chars
+    # * :only_chars
+    # * :only_numbers
+    # * :username
+    # * :sequences
+    def score_for(name)
+      score = 0
+
+      case name
+      when :password_size then
+        if password.size < 4
+          score = -100
+        else
+          score = password.size * 4
+        end
+      when :numbers then
+        score = 5 if password =~ MULTIPLE_NUMBERS_RE
+      when :symbols then
+        score = 5 if password =~ MULTIPLE_SYMBOLS_RE
+      when :uppercase_lowercase then
+        score = 10 if password =~ UPPERCASE_LOWERCASE_RE
+      when :numbers_chars then
+        score = 15 if password =~ /[a-z]/i && password =~ /[0-9]/
+      when :numbers_symbols then
+        score = 15 if password =~ /[0-9]/ && password =~ SYMBOL_RE
+      when :symbols_chars then
+        score = 15 if password =~ /[a-z]/i && password =~ SYMBOL_RE
+      when :only_chars then
+        score = -15 if password =~ /^[a-z]+$/i
+      when :only_numbers then
+        score = -15 if password =~ /^\d+$/
+      when :username then
+        if password == username
+          score = -100
+        else
+          score = -15 if password =~ /#{Regexp.escape(username)}/
+        end
+      when :sequences then
+        score = -15 * detect_sequences(password)
+        score += -15 * detect_sequences(password.to_s.reverse)
+      end
+
+      score
+    end
+
+    def test
+      @score = 0
+      @score += score_for(:password_size)
+      @score += score_for(:numbers)
+      @score += score_for(:symbols)
+      @score += score_for(:uppercase_lowercase)
+      @score += score_for(:numbers_chars)
+      @score += score_for(:numbers_symbols)
+      @score += score_for(:symbols_chars)
+      @score += score_for(:only_chars)
+      @score += score_for(:only_numbers)
+      @score += score_for(:username)
+      @score += score_for(:sequences)
+
+      @score = 0 if score < 0
+      @score = 100 if score > 100
+
+      @status = :weak   if score < 35
+      @status = :good   if score >= 35 && score < 70
+      @status = :strong if score >= 70
+
+      score
+    end
+
+    def detect_sequences(text) # :nodoc:
+      matches = 0
+      sequence_size = 0
+      bytes = []
+
+      text.to_s.each_byte do |byte|
+        previous_byte = bytes.last
+        bytes << byte
+
+        if previous_byte && ((byte == previous_byte + 1) || (previous_byte == byte))
+          sequence_size += 1
+        else
+          sequence_size = 0
+        end
+
+        matches += 1 if sequence_size == 2
+      end
+
+      matches
+    end
+  end
+end