strong_password 0.0.1

data/lib/strong_password/password_variants.rb

@@ -0,0 +1,153 @@
+module StrongPassword
+  module PasswordVariants
+    LEET_SPEAK_1 = {
+      "@" => "a",
+      "!" => "i",
+      "$" => "s",
+      "1" => "i",
+      "2" => "z",
+      "3" => "e",
+      "4" => "a",
+      "5" => "s",
+      "6" => "g",
+      "7" => "t",
+      "8" => "b",
+      "9" => "g",
+      "0" => "o"
+    }
+
+    LEET_SPEAK_2 = {
+      "@" => "a",
+      "!" => "i",
+      "$" => "s",
+      "1" => "l",
+      "2" => "z",
+      "3" => "e",
+      "4" => "a",
+      "5" => "s",
+      "6" => "g",
+      "7" => "t",
+      "8" => "b",
+      "9" => "g",
+      "0" => "o"
+    }
+
+    KEYBOARDMAP_DOWN_NOSHIFT = {
+      "z" => "", 
+      "x" => "", 
+      "c" => "", 
+      "v" => "", 
+      "b" => "", 
+      "n" => "", 
+      "m" => "", 
+      "," => "", 
+      "." => "", 
+      "/" => "", 
+      "<" => "", 
+      ">" => "", 
+      "?" => ""
+    }
+
+    KEYBOARDMAP_DOWNRIGHT = {
+      "a" => "z",
+      "q" => "a",
+      "1" => "q",
+      "s" => "x",
+      "w" => "s",
+      "2" => "w",
+      "d" => "c",
+      "e" => "d",
+      "3" => "e",
+      "f" => "v",
+      "r" => "f",
+      "4" => "r",
+      "g" => "b",
+      "t" => "g",
+      "5" => "t",
+      "h" => "n",
+      "y" => "h",
+      "6" => "y",
+      "j" => "m",
+      "u" => "j",
+      "7" => "u",
+      "i" => "k",
+      "8" => "i",
+      "o" => "l",
+      "9" => "o",
+      "0" => "p"
+    }
+
+    KEYBOARDMAP_DOWNLEFT = {
+      "2" => "q",
+      "w" => "a",
+      "3" => "w",
+      "s" => "z",
+      "e" => "s",
+      "4" => "e",
+      "d" => "x",
+      "r" => "d",
+      "5" => "r",
+      "f" => "c",
+      "t" => "f",
+      "6" => "t",
+      "g" => "v",
+      "y" => "g",
+      "7" => "y",
+      "h" => "b",
+      "u" => "h",
+      "8" => "u",
+      "j" => "n",
+      "i" => "j",
+      "9" => "i",
+      "k" => "m",
+      "o" => "k",
+      "0" => "o",
+      "p" => "l",
+      "-" => "p"
+    }
+    
+    # Returns all variants of a given password including the password itself
+    def self.all_variants(password)
+      passwords = [password.dup.downcase]
+      passwords += keyboard_shift_variants(password)
+      passwords += leet_speak_variants(password)
+      passwords.uniq
+    end
+
+    # Returns all keyboard shifted variants of a given password
+    def self.keyboard_shift_variants(password)
+      password = password.dup.downcase
+      variants = []
+      
+      if (password == password.tr(KEYBOARDMAP_DOWN_NOSHIFT.keys.join, KEYBOARDMAP_DOWN_NOSHIFT.values.join))
+        variant = password.tr(KEYBOARDMAP_DOWNRIGHT.keys.join, KEYBOARDMAP_DOWNRIGHT.values.join)
+        variants << variant
+        variants << variant.reverse
+
+        variant = password.tr(KEYBOARDMAP_DOWNLEFT.keys.join, KEYBOARDMAP_DOWNLEFT.values.join)
+        variants << variant
+        variants << variant.reverse
+      end
+      variants
+    end
+
+    # Returns all leet speak variants of a given password
+    def self.leet_speak_variants(password)
+      password = password.dup.downcase
+      variants = []
+
+      leet = password.tr(LEET_SPEAK_1.keys.join, LEET_SPEAK_1.values.join)
+      if leet != password
+        variants << leet
+        variants << leet.reverse
+      end
+
+      leet_l = password.tr(LEET_SPEAK_2.keys.join, LEET_SPEAK_2.values.join)
+      if (leet_l != password && leet_l != leet)
+        variants << leet_l
+        variants << leet_l.reverse
+      end
+      variants
+    end
+  end
+end

data/lib/strong_password/qwerty_adjuster.rb

@@ -0,0 +1,73 @@
+module StrongPassword
+  class QwertyAdjuster
+    QWERTY_STRINGS = [
+      "1234567890-",
+      "qwertyuiop",
+      "asdfghjkl;",
+      "zxcvbnm,./",
+      "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/-['=]:?_{\"+}",
+      "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik9ol0p",
+      "qazwsxedcrfvtgbyhnujmik,ol.p;/-['=]:?_{\"+}",
+      "qazwsxedcrfvtgbyhnujmikolp",
+      "]\"/=[;.-pl,0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1",
+      "pl0okm9ijn8uhb7ygv6tfc5rdx4esz3wa2q1",
+      "]\"/[;.pl,okmijnuhbygvtfcrdxeszwaq",
+      "plokmijnuhbygvtfcrdxeszwaq",
+      "014725836914702583697894561230258/369*+-*/",
+      "abcdefghijklmnopqrstuvwxyz"
+    ]
+    
+    attr_reader :base_password
+    
+    def initialize(password)
+      @base_password = password.dup.downcase
+    end
+    
+    def is_strong?(min_entropy: 18)
+      adjusted_entropy(entropy_threshhold: min_entropy) >= min_entropy
+    end
+    
+    def is_weak?(min_entropy: 18)
+      !is_strong?(min_entropy: min_entropy)
+    end
+    
+    # Returns the minimum entropy for the password's qwerty locality
+    # adjustments.  If a threshhold is specified we will bail
+    # early to avoid unnecessary processing.
+    def adjusted_entropy(entropy_threshhold: 0)
+      revpassword = base_password.reverse
+      min_entropy = [EntropyCalculator.calculate(base_password), EntropyCalculator.calculate(revpassword)].min
+      QWERTY_STRINGS.each do |qwertystr|
+        qpassword = mask_qwerty_strings(base_password, qwertystr)
+        qrevpassword = mask_qwerty_strings(revpassword, qwertystr)
+        if qpassword != base_password
+          numbits = EntropyCalculator.calculate(qpassword)
+          min_entropy = [min_entropy, numbits].min
+          return min_entropy if min_entropy < entropy_threshhold
+        end
+        if qrevpassword != revpassword
+          numbits = EntropyCalculator.calculate(qrevpassword)
+          min_entropy = [min_entropy, numbits].min
+          return min_entropy if min_entropy < entropy_threshhold
+        end
+      end
+      min_entropy
+    end
+  
+  private
+  
+    def mask_qwerty_strings(password, qwerty_string)
+      masked_password = password
+      z = 6
+      begin
+        y = qwerty_string.length - z
+        (0..y).each do |x|
+          str = qwerty_string[x, z].sub('-', '\\-')
+          masked_password = masked_password.sub(str, '*')
+        end
+        z = z - 1
+      end while z > 2
+      masked_password
+    end
+  end
+end

data/lib/strong_password/railtie.rb

@@ -0,0 +1 @@
+require 'rails/railtie'

data/lib/strong_password/strength_checker.rb

@@ -0,0 +1,37 @@
+module StrongPassword
+  class StrengthChecker
+    BASE_ENTROPY = 18
+    
+    attr_reader :base_password
+
+    def initialize(password)
+      @base_password = password.dup
+    end
+    
+    def is_weak?(min_entropy: BASE_ENTROPY, use_dictionary: false, min_word_length: 4, extra_dictionary_words: [])
+      !is_strong?(min_entropy: min_entropy,
+                  use_dictionary: use_dictionary, 
+                  min_word_length: min_word_length, 
+                  extra_dictionary_words: extra_dictionary_words)
+    end
+
+    def is_strong?(min_entropy: BASE_ENTROPY, use_dictionary: false, min_word_length: 4, extra_dictionary_words: [])
+      weak = (EntropyCalculator.calculate(base_password) < min_entropy) ||
+             (EntropyCalculator.calculate(base_password.downcase) < min_entropy) ||
+             (QwertyAdjuster.new(base_password).is_weak?(min_entropy: min_entropy))
+      if !weak && use_dictionary
+        return DictionaryAdjuster.new(base_password).is_strong?(min_entropy: min_entropy,
+                    min_word_length: min_word_length, 
+                    extra_dictionary_words: extra_dictionary_words)
+      else
+        return !weak
+      end
+    end
+    
+    def calculate_entropy(use_dictionary: false, min_word_length: 4, extra_dictionary_words: [])
+      entropies = [EntropyCalculator.calculate(base_password), EntropyCalculator.calculate(base_password.downcase), QwertyAdjuster.new(base_password).adjusted_entropy]
+      entropies << DictionaryAdjuster.new(base_password).adjusted_entropy(min_word_length: min_word_length, extra_dictionary_words: extra_dictionary_words) if use_dictionary
+      entropies.min
+    end
+  end
+end

data/lib/strong_password/version.rb

@@ -0,0 +1,3 @@
+module StrongPassword
+  VERSION = "0.0.1"
+end

data/lib/strong_password.rb

@@ -0,0 +1,15 @@
+require 'active_model/validations'
+
+require 'strong_password/version'
+require 'strong_password/nist_bonus_bits'
+require 'strong_password/entropy_calculator'
+require 'strong_password/strength_checker'
+require 'strong_password/password_variants'
+require 'strong_password/dictionary_adjuster'
+require 'strong_password/qwerty_adjuster'
+require 'active_model/validations/password_strength_validator' if defined?(ActiveModel)
+
+module StrongPassword
+end
+
+I18n.load_path << File.dirname(__FILE__) + '/strong_password/locale/en.yml' if defined?(I18n)

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'bundler/setup'
+require 'strong_password'
+require 'active_model'
+
+RSpec.configure do |config|
+  config.expect_with(:rspec) {|c| c.syntax = :expect}
+  config.order = :random
+end

data/spec/strong_password/dictionary_adjuster_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe DictionaryAdjuster do
+    describe '#is_strong?' do
+      let(:subject) { DictionaryAdjuster.new('password') }
+
+      it 'returns true if the calculated entropy is >= the minimum' do
+        subject.stub(adjusted_entropy: 18)
+        expect(subject.is_strong?).to be_true
+      end
+      
+      it 'returns false if the calculated entropy is < the minimum' do
+        subject.stub(adjusted_entropy: 17)
+        expect(subject.is_strong?).to be_false
+      end
+    end
+    
+    describe '#is_weak?' do
+      let(:subject) { DictionaryAdjuster.new('password') }
+
+      it 'returns the opposite of is_strong?' do
+        subject.stub(is_strong?: true)
+        expect(subject.is_weak?).to be_false
+      end
+    end
+    
+    describe '#adjusted_entropy' do
+      before(:each) { NistBonusBits.stub(bonus_bits: 0)}
+      
+      it 'checks against all variants of a given password' do
+        password = 'password'
+        adjuster = DictionaryAdjuster.new(password)
+        PasswordVariants.should_receive(:all_variants).with(password).and_return([])
+        adjuster.adjusted_entropy
+      end
+      
+      {
+        'bnm,./' => 14, # Qwerty string should not get adjusted by dictionary adjuster
+        'h#e0zbPas' => 19.5, # Random string should not get adjusted by dictionary adjuster
+        'password' => 4, # Adjusts common dictionary words
+        'E_!3password' => 11.5, # Adjusts common dictionary words regardless of placement
+        'h#e0zbPas 32e2i81 password' => 31.3125, # Even if there are multiple words
+        '123456' => 4, # Even if they are also qwerty strings
+        'password123456' => 16 # But only drops the first matched word
+      }.each do |password, bits|
+        it "returns #{bits} for '#{password}'" do
+          expect(DictionaryAdjuster.new(password).adjusted_entropy).to eq(bits)
+        end
+      end
+      
+      it 'allows extra words to be provided as an array' do
+        password = 'mcmanus'
+        base_entropy = EntropyCalculator.calculate(password)
+        expect(DictionaryAdjuster.new(password).adjusted_entropy(extra_dictionary_words: ['mcmanus'])).not_to eq(base_entropy)
+      end
+      
+      it 'allows minimum word length to be adjusted' do
+        password = '6969'
+        base_entropy = DictionaryAdjuster.new(password).adjusted_entropy
+        # If we increase the min_word_length above the length of the password we should get a higher entropy
+        expect(DictionaryAdjuster.new(password).adjusted_entropy(min_word_length: 6)).not_to be < base_entropy
+      end
+    end
+  end
+end

data/spec/strong_password/entropy_calculator_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe EntropyCalculator do
+    describe '.bits' do
+      before(:each) { NistBonusBits.stub(bonus_bits: 0) }
+      {
+        '' => 0,
+        '*' => 4,
+        '**' => 6,
+        '***' => 8,
+        '****' => 10,
+        '*****' => 12,
+        '******' => 14,
+        '*******' => 16,
+        '********' => 18,
+        '*********' => 19.5,
+        '**********' => 21,
+        '***********' => 22.5,
+        '************' => 24,
+        '*************' => 25.5,
+        '**************' => 27,
+        '***************' => 28.5,
+        '****************' => 30,
+        '*****************' => 31.5,
+        '******************' => 33,
+        '*******************' => 34.5,
+        '********************' => 36,
+        '*********************' => 37,
+        '**********************' => 38,
+        '***********************' => 39,
+        '************************' => 40
+      }.each do |password, bits|
+        it "returns #{bits} for #{password.length} characters" do
+          expect(subject.bits(password)).to eq(bits)
+        end
+      end
+    end
+    
+    describe '.bits_with_repeats_weakened' do
+      before(:each) { NistBonusBits.stub(bonus_bits: 0) }
+      {
+        '' => 0,
+        '*' => 4,
+        '**' => 5.5,
+        '***' => 6.625,
+        '****' => 7.46875,
+        '****a' => 9.46875,
+        '********' => 9.1990966796875
+      }.each do |password, bits|
+        it "returns #{bits} for #{password.length} characters" do
+          expect(subject.bits_with_repeats_weakened(password)).to eq(bits)
+        end
+      end
+      
+      it 'returns the same value for repeated calls on a password' do
+        password = 'password'
+        initial_value = subject.bits_with_repeats_weakened(password)
+        5.times do
+          expect(subject.bits_with_repeats_weakened(password)).to eq(initial_value)
+        end
+      end
+    end
+  end
+end

data/spec/strong_password/nist_bonus_bits_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe NistBonusBits do
+    describe '.bonus_bits' do
+      it 'calculates the bonus bits the first time for a given password' do
+        NistBonusBits.reset_bonus_cache!
+        NistBonusBits.should_receive(:calculate_bonus_bits_for).and_return(1)
+        expect(NistBonusBits.bonus_bits('password')).to eq(1)
+      end
+      
+      it 'caches the bonus bits for a password for later use' do
+        NistBonusBits.reset_bonus_cache!
+        NistBonusBits.stub(calculate_bonus_bits_for: 1)
+        NistBonusBits.bonus_bits('password')
+        NistBonusBits.should_not_receive(:calculate_bonus_bits_for)
+        expect(NistBonusBits.bonus_bits('password')).to eq(1)
+      end
+    end
+    
+    describe '.calculate_bonus_bits_for' do
+	    {
+	      'Ab$9' => 4,
+	      'Ab $9' => 6,
+	      'A b $ 9' => 7,
+	      'Ab$' => 3,
+	      'Ab $' => 5,
+	      'A b $ c d' => 6,
+	      '1!' => -4,
+	      '1 !' => -2,
+	      '1 ! 2 # 3 $' => -1,
+	      '123' => -8,
+	      '1 23' => -6,
+	      '1 2 3 4 5 6' => -5,
+	      'blah' => -2,
+	      'blah blah' => 0,
+	      'blah blah blah blah' => 1
+	    }.each do |password, bonus_bits|
+	      it "returns #{bonus_bits} for '#{password}'" do
+	        expect(NistBonusBits.calculate_bonus_bits_for(password)).to eq(bonus_bits)
+        end
+      end
+    end
+  end
+end

data/spec/strong_password/password_variants_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe PasswordVariants do
+    describe '.all_variants' do
+      it 'includes the lowercase password' do
+        expect(subject.all_variants("PASSWORD")).to include('password')
+      end
+      
+      it 'includes keyboard shift variants' do
+        subject.stub(keyboard_shift_variants: ['foo', 'bar'])
+        expect(subject.all_variants("password")).to include('foo', 'bar')
+      end
+      
+      it 'includes leet speak variants' do
+        subject.stub(leet_speak_variants: ['foo', 'bar'])
+        expect(subject.all_variants("password")).to include('foo', 'bar')
+      end
+      
+      it 'does not mutate the password' do
+        password = 'PASSWORD'
+        subject.all_variants(password)
+        expect(password).to eq('PASSWORD')
+      end
+    end
+    
+    describe '.keyboard_shift_variants' do
+      it 'returns no variants if password includes only bottom row characters' do
+        expect(subject.keyboard_shift_variants('zxcvbnm,./')).to eq([])
+      end
+      
+      it 'maps down-right passwords' do
+        expect(subject.keyboard_shift_variants('qwerty')).to include('asdfgh')
+      end
+      
+      it 'includes reversed down-right password' do
+        expect(subject.keyboard_shift_variants('qwerty')).to include('hgfdsa')
+      end
+      
+      it 'maps down-left passwords' do
+        expect(subject.keyboard_shift_variants('sdfghj')).to include('zxcvbn')
+      end
+      
+      it 'maps reversed down-left passwords' do
+        expect(subject.keyboard_shift_variants('sdfghj')).to include('nbvcxz')
+      end
+    end
+    
+    describe '.leet_speak_variants' do
+      it 'returns no variants if the password includes no leet speak' do
+        expect(subject.leet_speak_variants('password')).to eq([])
+      end
+      
+      it 'returns standard leet speak variants' do
+        expect(subject.leet_speak_variants('p4ssw0rd')).to include('password')
+      end
+      
+      it 'returns reversed standard leet speak variants' do
+        expect(subject.leet_speak_variants('p4ssw0rd')).to include('drowssap')
+      end
+      
+      it 'returns both i and l variants when given a 1' do
+        expect(subject.leet_speak_variants('h1b0b')).to include('hibob', 'hlbob')
+      end
+    end
+  end
+end

data/spec/strong_password/qwerty_adjuster_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe QwertyAdjuster do
+    describe '#is_strong?' do
+      let(:subject) { QwertyAdjuster.new('password') }
+
+      it 'returns true if the calculated entropy is >= the minimum' do
+        subject.stub(adjusted_entropy: 18)
+        expect(subject.is_strong?).to be_true
+      end
+      
+      it 'returns false if the calculated entropy is < the minimum' do
+        subject.stub(adjusted_entropy: 17)
+        expect(subject.is_strong?).to be_false
+      end
+    end
+    
+    describe '#is_weak?' do
+      let(:subject) { QwertyAdjuster.new('password') }
+
+      it 'returns the opposite of is_strong?' do
+        subject.stub(is_strong?: true)
+        expect(subject.is_weak?).to be_false
+      end
+    end
+    
+    describe '#adjusted_entropy' do
+      before(:each) { NistBonusBits.stub(bonus_bits: 0)}
+      {
+        'qwertyuio' => 5.5,
+        '1234567' => 6,
+        'lkjhgfd' => 6,
+        '0987654321' => 5.5,
+        'zxcvbnm' => 6,
+        '/.,mnbvcx' => 5.5,
+        'password' => 17.5 # Ensure that we don't qwerty-adjust 'password'
+      }.each do |password, bits|
+        it "returns #{bits} for '#{password}'" do
+          expect(QwertyAdjuster.new(password).adjusted_entropy).to eq(bits)
+        end
+      end
+    end
+  end
+end

data/spec/strong_password/strength_checker_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper'
+
+module StrongPassword
+  describe StrengthChecker do
+    context 'with lowered entropy requirement and no dictionary checking' do
+      {
+        'blahblah' => true,
+        'password' => true,
+        'wwwwwwww' => false,
+        'adamruge' => true,
+        'aB$1' => false
+      }.each do |password, strength|
+        it "is_strong? returns #{strength} for '#{password}' with 12 bits of entropy" do
+          expect(StrengthChecker.new(password).is_strong?(min_entropy: 12)).to be(strength)
+        end
+      end
+    end
+    
+    context 'with lowered entropy requirement and dictionary checking' do
+      {
+        'blahblah' => true,
+        'password' => false,
+        'wwwwwwww' => false,
+        'adamruge' => true,
+        'aB$1' => false
+      }.each do |password, strength|
+        it "is_strong? returns #{strength} for '#{password}' with 12 bits of entropy" do
+          expect(StrengthChecker.new(password).is_strong?(min_entropy: 12, use_dictionary: true)).to be(strength)
+        end
+      end
+    end
+    
+    context 'with standard entropy requirement and dictionary checking' do
+      {
+        'blahblah' => false,
+        'password' => false,
+        'wwwwwwww' => false,
+        'adamruge' => false,
+        'aB$1' => false,
+        'correct horse battery staple' => true
+      }.each do |password, strength|
+        it "is_strong? returns #{strength} for '#{password}' with standard bits of entropy" do
+          expect(StrengthChecker.new(password).is_strong?(use_dictionary: true)).to be(strength)
+        end
+      end
+    end
+    
+    context 'with crazy entropy requirement and dictionary checking' do
+      {
+        'blahblah' => false,
+        'password' => false,
+        'wwwwwwww' => false,
+        'adamruge' => false,
+        'aB$1' => false,
+        'correct horse battery staple' => false,
+        'c0rr#ct h0rs3 Batt$ry st@pl3 is Gr34t' => true
+      }.each do |password, strength|
+        it "is_strong? returns #{strength} for '#{password}' with standard bits of entropy" do
+          expect(StrengthChecker.new(password).is_strong?(min_entropy: 40, use_dictionary: true)).to be(strength)
+        end
+      end
+    end
+  end
+end