← Home

Password validation done better

@tags=coding, security

One of the most annoying user experiences is registering and trying to create a password that passes a bunch of validation rules, such as must contain a uppercase, lowercase, special character, etc.

This doesn't always create the strongest password, and more importantly it doesn't create the most memorable password.

Passphrases are way more secure and memorable, but sadly they won't pass password validation rules unless you sprinkle some extra stuff to remember on them.

XKCD does a good job demonstrating their strength: xkcd-passphrases.png

Users should have the option of constructing a password however they like, as long as it is strong.

If you password was just lower case letters, then it's strength is 26^numberOfCharacters (because there are 26 letters in the alphabet, so if your password was 4 letters long, then there would be 262626*26 possible combinations).

Throw in some upper case characters, and it is 52^numCharacters.

Numbers as well 62^numCharacters

etc, etc.

The important thing is even if you just use lower case letters, the exponent is the most important thing, and that is the number of characters you type.

So with all this in mind, here is a validator function that will measure your password strength and give you some suggestions on how to make it stronger if it is too weak.


(value) => {
  value = String(value);
  const containsAnUppercaseLetter = /[A-Z]/.test(value);
  const containsALowercaseLetter = /[a-z]/.test(value);
  const containsANumber = /\d/.test(value);
  const containsASpecialCharacter = /[^a-zA-Z\d]/.test(value);
  const numberOfPossibleCharacters =(containsAnUppercaseLetter ? 26 : 0) + (containsALowercaseLetter ? 26 : 0) + (containsANumber ? 10 : 0) + (containsASpecialCharacter ? 32 : 0);
  const strength = numberOfPossibleCharacters ** value.length;
  return strength > 1e13;
"Your password is not strong enough. You can add more characters, numbers, and symbols to make it stronger."