strong_password 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1db75b147a9e2bc0833c5de0a098fd8b7584d3b5
+  data.tar.gz: 6046844808e8bcf7636cb1865e0218198739a0c1
+SHA512:
+  metadata.gz: 0b7544150289fbe379361be135494cc78bdf8d063dffe68f9f9384c82b50dafacb37a3f0ea6c3dcac41ead516595eeea99ecb1b748abb6884a2af8d4a3f6316e
+  data.tar.gz: 121dbd08326dccbfb8eacac4378d0db274b0eadd716ae773c009ff3f626811030d59be998470c834cec21fa6244f3cff93e1401b7ef4eb2b0cfd84b45c6aab9e

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/CHANGELOG

@@ -0,0 +1,3 @@
+## v0.0.1
+
+* Initial release

data/Gemfile

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+gemspec
+
+version = ENV["RAILS_VERSION"] || "3.2"
+
+rails = case version
+when "master"
+  {github: "rails/rails"}
+else
+  "~> #{version}.0"
+end
+
+gem "rails", rails

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Brian McManus
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,157 @@
+# StrongPassword
+
+StrongPassword provides entropy-based password strength checking for your apps.
+
+The idea stemmed from the
+"[Checking Password Strength](http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication)"
+section on StackOverflow.
+
+It is an adaptation of a [PHP algorithm](http://cubicspot.blogspot.com/2011/11/how-to-calculate-password-strength.html)
+developed by Thomas Hruska.
+
+## Installation
+
+NOTE: StrongPassword requires the use of Ruby 2.0.  Upgrade if you haven't already!
+
+Add this line to your application's Gemfile:
+
+    gem 'strong_password'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install strong_password
+
+## Usage
+
+StrongPassword is designed primarily to be used with Rails and ActiveModel validations but can also be
+used standalone if needed.
+
+### With Rails/ActiveModel Validations
+
+StrongPassword adds a custom validator for use with ActiveModel validations.  Your model does NOT need to be an ActiveRecord
+model, it simply has to be an object that includes `ActiveModel::Validations`.  Use it like so:
+
+```ruby
+class User
+  include ActiveModel::Validations
+  
+  # Basic usage.  Defaults to minimum entropy of 18 and no dictionary checking
+  validates :password, password_strength: true
+  # Minimum entropy can be specified as min_entropy
+  validates :password, password_strength: {min_entropy: 40}
+  # Specifies that we want to use dictionary checking
+  validates :password, password_strength: {use_dictionary: true}
+  # Specifies the minimum size of things that should count as words.  Defaults to 4.
+  validates :password, password_strength: {use_dictionary: true, min_word_length: 6}
+  # Specifies that we want to use dictionary checking and adds 'other', 'common', and 'words' to the dictionary we are checking against.
+  validates :password, password_strength: {extra_dictionary_words: ['other', 'common', 'words'], use_dictionary: true}
+  # You can also specify a method name to pull the extra words from
+  validates :password, password_strength: {extra_dictionary_words: :my_extra_words, use_dictionary: true}
+  # Alternative way to request password strength validation on a field
+  validates_password_strength :password
+  
+  # Return an array of words to add to the dictionary we check against.
+  def my_extra_words
+    ['extra', 'words', 'here', 'too']
+  end
+end
+```
+
+The default validation message is "%{attribute} is too weak".  If you would like to customize that you can override it in your locale file
+by setting a value for this key:
+
+```yml
+en:
+  errors:
+    messages:
+      password:
+        password_strength: "%{attribute} is a terrible password, try again!"
+```
+
+### Standalone
+
+StrongPassword can also be used standalone if you need to. There are a few helper methods for determining whether a
+password is strong or not. You can also directly access the entropy calculations if you want.
+
+```text
+2.0.0p0 :001 > checker = StrongPassword::StrengthChecker.new('password')
+ => #<StrongPassword::StrengthChecker:0x007fcd7c939b48 @base_password="password"> 
+2.0.0p0 :002 > checker.is_strong?
+ => false 
+2.0.0p0 :003 > checker.is_weak?
+ => true 
+2.0.0p0 :004 > checker.is_strong?(min_entropy: 2)
+ => true 
+2.0.0p0 :005 > checker.calculate_entropy
+ => 15.5 
+2.0.0p0 :006 > checker.calculate_entropy(use_dictionary: true)
+ => 2
+```
+
+## Details
+
+So what exactly does StrongPassword do for you? If you're really interested you should [read this article](http://cubicspot.blogspot.com/2011/11/how-to-calculate-password-strength.html)
+from the original author of the algorithm.
+
+For the most part StrongPassword stays true to the original but is refactored and tested.  I will try to summarize what
+the algorithm does here but reading the code is probably the best way to really get a feel for it.
+
+The basic premise is to use the NIST suggested rules for entropy calculation as follows:
+
+* The first byte counts as 4 bits.
+* The next 7 bytes count as 2 bits each.
+* The next 12 bytes count as 1.5 bits each.
+* Anything beyond that counts as 1 bit each.
+* Mixed case + non-alphanumeric = up to 6 extra bits.
+
+We actually use a modified version of this calculation that degrades the entropy gained for repeat characters by 75% for
+every appearance in the password.  The original NIST calculation is still available in `StrongPassword::EntropyCalculator`
+but is generally not used in favor of this stricter (albeit slower) version.
+
+So the EntropyCalculator can calculate the entropy of our password for us.  What else does the algorithm do?
+
+In general the algorithm tries to find the lowest entropy possible for the password by running it against various
+filters.  If the lowest entropy we can find for a password is less than the minimum entropy in use by `StrongPassword::StrengthChecker`
+then we consider the password to be weak.  The default minimum entropy is 18 bits.
+
+The first thing we try is a lowercased version of the password.
+
+Next we run the password through a `QwertyAdjuster` that tries to adjust the password's entropy by removing common
+qwerty keyboard layout passwords such as 'qwertyuiop', '1234567890', or '/.,mnbvcxz'.  It looks for these in chunks
+between 3 and 6 in length and reduces the entropy of the password accordingly.
+
+Finally, if specified, we will run the password through a `DictionaryAdjuster`.  This is the slowest part of the
+algorithm but adds significantly to the strength checking.  Ideally this should be run against a large dictionary
+of the most commong words in your language (e.g. a 300,000 word English dictionary).  Currently I just have this
+hard-coded to run against an embedded list of the 500 most common passwords.  This is much faster than running
+against a 300,000 dictionary file and still adds considerably to the strength checking.  The password is checked
+against all dictionary words over a minimum word length (default is 4).  We also generate variations of
+the password to check for common things like leet speak, and qwerty-shifted passwords.  The lowest entropy found
+for any variant is used.  Essentially a password of "p4ssw0rd" will be treated as though it were just "password"
+when looking for dictionary words and thus would find "password" and get an extremely low entropy value.
+
+You can also supply a list of extra dictionary words to this method via the various `StrongPassword::StrengthChecker`
+methods.  Any words supplied will be treated as though they were common dictionary words.  This lets you add
+things like your user's first name, last name, and email address as common dictionary words so they will be
+disallowed by the strength checker.
+
+## Todo
+
+1. Allow the dictionary of common words to be specified by the user.  This is currently hard-coded to
+   the 500 most common passwords.  That also means it's not a true "dictionary" check...
+2. Add a common password adjuster that basically works like the existing DictionaryAdjuster but does
+   not stop at the first found word.  Stopping at the first word make sense if you have a 300,000 word
+   dictionary of the English language but not so much when you're only talking about the 500 most 
+   common passwords.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/active_model/validations/password_strength_validator.rb

@@ -0,0 +1,43 @@
+require 'strong_password'
+
+module ActiveModel
+  module Validations
+    class PasswordStrengthValidator < ActiveModel::EachValidator
+      def validate_each(object, attribute, value)
+        ps = ::StrongPassword::StrengthChecker.new(value)
+        unless ps.is_strong?(strength_options(options, object))
+          object.errors.add(attribute, :'password.password_strength', options.merge(:value => value))
+        end
+      end
+
+      def strength_options(options, object)
+        strength_options = options.dup
+        strength_options[:extra_dictionary_words] = extra_words_for_object(strength_options[:extra_dictionary_words], object)
+        strength_options.slice(:min_entropy, :use_dictionary, :min_word_length, :extra_dictionary_words)
+      end
+
+      def extra_words_for_object(extra_words, object)
+        return [] unless extra_words.present?
+        if object
+          if extra_words.respond_to?(:call)
+            extra_words = extra_words.call(object)
+          elsif extra_words.kind_of? Symbol
+            extra_words = object.send(extra_words)
+          end
+        end
+        extra_words || []
+      end
+    end
+    
+    module HelperMethods
+      #   class User < ActiveRecord::Base
+      #     validates_password_strength :password
+      #     validates_password_strength :password, extra_dictionary_words: :extra_words
+      #   end
+      #
+      def validates_password_strength(*attr_names)
+        validates_with PasswordStrengthValidator, _merge_attributes(attr_names)
+      end
+    end
+  end
+end

data/lib/strong_password/dictionary_adjuster.rb

@@ -0,0 +1,117 @@
+module StrongPassword
+  class DictionaryAdjuster
+    COMMON_PASSWORDS = ["123456","password","12345678","1234","pussy","12345","dragon","qwerty",
+      "696969","mustang","letmein","baseball","master","michael","football","shadow","monkey","abc123",
+      "pass","6969","jordan","harley","ranger","iwantu","jennifer","hunter","2000","test","batman",
+      "trustno1","thomas","tigger","robert","access","love","buster","1234567","soccer","hockey","killer",
+      "george","sexy","andrew","charlie","superman","asshole","dallas","jessica","panties","pepper",
+      "1111","austin","william","daniel","golfer","summer","heather","hammer","yankees","joshua","maggie",
+      "biteme","enter","ashley","thunder","cowboy","silver","richard","orange","merlin","michelle",
+      "corvette","bigdog","cheese","matthew","121212","patrick","martin","freedom","ginger","blowjob",
+      "nicole","sparky","yellow","camaro","secret","dick","falcon","taylor","111111","131313","123123",
+      "bitch","hello","scooter","please","","porsche","guitar","chelsea","black","diamond","nascar",
+      "jackson","cameron","654321","computer","amanda","wizard","xxxxxxxx","money","phoenix","mickey",
+      "bailey","knight","iceman","tigers","purple","andrea","horny","dakota","aaaaaa","player","sunshine",
+      "morgan","starwars","boomer","cowboys","edward","charles","girls","booboo","coffee","xxxxxx",
+      "bulldog","ncc1701","rabbit","peanut","john","johnny","gandalf","spanky","winter","brandy","compaq",
+      "carlos","tennis","james","mike","brandon","fender","anthony","blowme","ferrari","cookie","chicken",
+      "maverick","chicago","joseph","diablo","sexsex","hardcore","666666","willie","welcome","chris",
+      "panther","yamaha","justin","banana","driver","marine","angels","fishing","david","maddog","hooters",
+      "wilson","butthead","dennis","captain","bigdick","chester","smokey","xavier","steven","viking",
+      "snoopy","blue","eagles","winner","samantha","house","miller","flower","jack","firebird","butter",
+      "united","turtle","steelers","tiffany","zxcvbn","tomcat","golf","bond007","bear","tiger","doctor",
+      "gateway","gators","angel","junior","thx1138","porno","badboy","debbie","spider","melissa","booger",
+      "1212","flyers","fish","porn","matrix","teens","scooby","jason","walter","cumshot","boston","braves",
+      "yankee","lover","barney","victor","tucker","princess","mercedes","5150","doggie","zzzzzz","gunner",
+      "horney","bubba","2112","fred","johnson","xxxxx","tits","member","boobs","donald","bigdaddy","bronco",
+      "penis","voyager","rangers","birdie","trouble","white","topgun","bigtits","bitches","green","super",
+      "qazwsx","magic","lakers","rachel","slayer","scott","2222","asdf","video","london","7777","marlboro",
+      "srinivas","internet","action","carter","jasper","monster","teresa","jeremy","11111111","bill","crystal",
+      "peter","pussies","cock","beer","rocket","theman","oliver","prince","beach","amateur","7777777","muffin",
+      "redsox","star","testing","shannon","murphy","frank","hannah","dave","eagle1","11111","mother","nathan",
+      "raiders","steve","forever","angela","viper","ou812","jake","lovers","suckit","gregory","buddy",
+      "whatever","young","nicholas","lucky","helpme","jackie","monica","midnight","college","baby","brian",
+      "mark","startrek","sierra","leather","232323","4444","beavis","bigcock","happy","sophie","ladies",
+      "naughty","giants","booty","blonde","golden","0","fire","sandra","pookie","packers","einstein",
+      "dolphins","0","chevy","winston","warrior","sammy","slut","8675309","zxcvbnm","nipples","power",
+      "victoria","asdfgh","vagina","toyota","travis","hotdog","paris","rock","xxxx","extreme","redskins",
+      "erotic","dirty","ford","freddy","arsenal","access14","wolf","nipple","iloveyou","alex","florida",
+      "eric","legend","movie","success","rosebud","jaguar","great","cool","cooper","1313","scorpio",
+      "mountain","madison","987654","brazil","lauren","japan","naked","squirt","stars","apple","alexis",
+      "aaaa","bonnie","peaches","jasmine","kevin","matt","qwertyui","danielle","beaver","4321","4128",
+      "runner","swimming","dolphin","gordon","casper","stupid","shit","saturn","gemini","apples","august",
+      "3333","canada","blazer","cumming","hunting","kitty","rainbow","112233","arthur","cream","calvin",
+      "shaved","surfer","samson","kelly","paul","mine","king","racing","5555","eagle","hentai","newyork",
+      "little","redwings","smith","sticky","cocacola","animal","broncos","private","skippy","marvin",
+      "blondes","enjoy","girl","apollo","parker","qwert","time","sydney","women","voodoo","magnum",
+      "juice","abgrtyu","777777","dreams","maxwell","music","rush2112","russia","scorpion","rebecca",
+      "tester","mistress","phantom","billy","6666","albert"]
+    
+    attr_reader :base_password
+    
+    def initialize(password)
+      @base_password = password.dup.downcase
+    end
+    
+    def is_strong?(min_entropy: 18, min_word_length: 4, extra_dictionary_words: [])
+      adjusted_entropy(entropy_threshhold: min_entropy,
+                       min_word_length: min_word_length,
+                       extra_dictionary_words: extra_dictionary_words) >= min_entropy
+    end
+    
+    def is_weak?(min_entropy: 18, min_word_length: 4, extra_dictionary_words: [])
+      !is_strong?(min_entropy: min_entropy, min_word_length: min_word_length, extra_dictionary_words: extra_dictionary_words)
+    end
+    
+    # Returns the minimum entropy for the passwords dictionary adjustments.
+    # If a threshhold is specified we will bail early to avoid unnecessary
+    # processing.
+    # Note that we only check for the first matching word up to the threshhold if set.
+    # Subsequent matching words are not deductd.
+    def adjusted_entropy(min_word_length: 4, extra_dictionary_words: [], entropy_threshhold: -1)
+      dictionary_words = COMMON_PASSWORDS + extra_dictionary_words
+      min_entropy = EntropyCalculator.calculate(base_password)
+      # Process the passwords, while looking for possible matching words in the dictionary.
+      PasswordVariants.all_variants(base_password).each_with_index do |variant, num|
+        y = variant.length
+        x = -1
+        while x < y
+          x = x + 1
+          if ((variant[x] =~ /\w/) != nil)
+            next_non_word = variant.index(/\s/, x)
+            x2 =  next_non_word ? next_non_word : variant.length + 1
+            found = false
+            while !found && (x2 - x >= min_word_length)
+              word = variant[x, min_word_length]
+              word += variant[(x + min_word_length)..x2].reverse.chars.inject('') {|memo, c| "(#{Regexp.quote(c)}#{memo})?"} if (x + min_word_length) <= y
+              results = dictionary_words.grep(/\b#{word}\b/)
+              if results.empty?
+                x = x + 1
+                numbits = EntropyCalculator.calculate('*' * x)
+                # If we have enough entropy at this length on a fully masked password with 
+                # duplicates weakened then we can just bail on this variant
+                found = true if entropy_threshhold >= 0 && numbits >= entropy_threshhold
+              else
+                results.each do |match|
+                  break unless match.present?
+                  # Substitute a single * for matched portion of word and calculate entropy
+                  variant = variant.sub(match.strip.sub('-', '\\-'), '*')
+                  numbits = EntropyCalculator.calculate(variant)
+                  min_entropy = [min_entropy, numbits].min
+                  return min_entropy if min_entropy < entropy_threshhold
+                end
+
+                found = true
+              end
+            end
+
+            break if found
+
+            x = x2 - 1
+          end
+        end
+      end
+      return min_entropy
+    end
+  end
+end

data/lib/strong_password/entropy_calculator.rb

@@ -0,0 +1,76 @@
+module StrongPassword
+  module EntropyCalculator    
+    # Calculates NIST entropy for a password.
+    def self.calculate(password, repeats_weakened = true)
+      if repeats_weakened
+        bits_with_repeats_weakened(password)
+      else
+        bits(password)
+      end
+    end
+    
+    # The basic NIST entropy calculation is based solely
+    # on the length of the password in question.
+    def self.bits(password)
+      length = password.length
+      bits = if length > 20
+        4 + (7 * 2) + (12 * 1.5) + length - 20
+      elsif length > 8
+        4 + (7 * 2) + ((length - 8) * 1.5)
+      elsif length > 1
+        4 + ((length - 1) * 2)
+      else
+        (length == 1 ? 4 : 0)
+      end
+      bits + NistBonusBits.bonus_bits(password)
+    end
+    
+    # A modified version of the basic entropy calculation
+    # which lowers the amount of entropy gained for each
+    # repeated character in the password
+    def self.bits_with_repeats_weakened(password)
+      resolver = EntropyResolver.new
+      bits = password.chars.each.with_index.inject(0) do |result, (char, index)|
+        char_value = resolver.entropy_for(char)
+        result += bit_value_at_position(index, char_value)
+      end
+      bits + NistBonusBits.bonus_bits(password)
+    end
+  
+  private
+    
+    def self.bit_value_at_position(position, base = 1)
+      if position > 19
+        return base
+      elsif position > 7
+        return base * 1.5
+      elsif position > 0
+        return base * 2
+      else
+        return 4
+      end
+    end
+  
+    class EntropyResolver
+      BASE_VALUE = 1
+      REPEAT_WEAKENING_FACTOR = 0.75
+      
+      attr_reader :char_multiplier
+      
+      def initialize
+        @char_multiplier = {}
+      end
+      
+      # Returns the current entropy value for a character and weakens the entropy
+      # for future calls for the same character.
+      def entropy_for(char)
+        ordinal_value = char.ord
+        char_multiplier[ordinal_value] ||= BASE_VALUE
+        char_value = char_multiplier[ordinal_value]
+        # Weaken the value of this character for future occurrances
+        char_multiplier[ordinal_value] = char_multiplier[ordinal_value] * REPEAT_WEAKENING_FACTOR
+        return char_value
+      end
+    end
+  end
+end

data/lib/strong_password/locale/en.yml

@@ -0,0 +1,5 @@
+en:
+  errors:
+    messages:
+      password:
+        password_strength: "%{attribute} is too weak"

data/lib/strong_password/nist_bonus_bits.rb

@@ -0,0 +1,45 @@
+module StrongPassword
+  module NistBonusBits
+    @@bonus_bits_for_password = {}
+    
+    # NIST password strength rules allow up to 6 bonus bits for mixed case and non-alphabetic
+    def self.bonus_bits(password)
+      @@bonus_bits_for_password[password] ||= begin
+        calculate_bonus_bits_for(password)
+  	  end
+    end
+    
+    # This smells bad as it's only used for testing...
+    def self.reset_bonus_cache!
+      @@bonus_bits_for_password = {}
+    end
+    
+    def self.calculate_bonus_bits_for(password)
+      upper   = !!(password =~ /[[:upper:]]/)
+  		lower   = !!(password =~ /[[:lower:]]/)
+  		numeric = !!(password =~ /[[:digit:]]/)
+  		other   = !!(password =~ /[^a-zA-Z0-9 ]/)
+  		space   = !!(password =~ / /)
+  		
+  		# I had this condensed to nested ternaries but that shit was ugly
+  		bonus_bits = if upper && lower && other && numeric
+  		  6
+		  elsif upper && lower && other && !numeric
+		    5
+		  elsif numeric && other && !upper && !lower
+		    -2
+		  elsif numeric && !other && !upper && !lower
+		    -6
+	    else
+	      0
+      end
+
+  		if !space
+  		  bonus_bits = bonus_bits - 2
+  		elsif password.split(/\s+/).length > 3
+  		  bonus_bits = bonus_bits + 1
+  	  end
+  	  bonus_bits
+	  end
+  end
+end