A realistic password strength estimator.

Last update: Apr 30, 2022
.................................................bbb....................
.zzzzzzzzzz..xxx....xxx....cccccccc..vvv....vvv..bbb.........nnnnnnn....
.....zzzz......xxxxxx....cccc........vvv....vvv..bbbbbbbb....nnn...nnn..
...zzzz........xxxxxx....cccc..........vvvvvv....bbb....bb...nnn...nnn..
.zzzzzzzzzz..xxx....xxx....cccccccc......vv......bbbbbbbb....nnn...nnn..
........................................................................

An obj-c port of zxcvbn, a password strength estimation library, designed for iOS.

DBZxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns.

Check out the original JavaScript (well, CoffeeScript) or the Python port.

For full motivation, see zxcvbn: realistic password strength estimation.

Installation

Coming soon.

Use

The easiest way to use DBZxcvbn is by displaying a DBPasswordStrengthMeter in your form. Set up your UITextFieldDelegate and add a DBPasswordStrengthMeter.

See the example here: DBCreateAccountViewController.m

As the user types, you can call scorePassword: like so:

- (BOOL)textField:(UITextField *)textField shouldChangeCharactersInRange:(NSRange)range replacementString:(NSString *)string
{
    NSString *password = [textField.text stringByReplacingCharactersInRange:range withString:string];

    [self.passwordStrengthMeterView scorePassword:password];

    return YES;
}

Here is what DBPasswordStrengthMeter looks like in a form:

To use DBZxcvbn without the DBPasswordStrengthMeter view simply import DBZxcvbn.h, create a new instance of DBZxcvbn, then call passwordStrength:userInputs:.

#import <Zxcvbn/DBZxcvbn.h>

DBZxcvbn *zxcvbn = [[DBZxcvbn alloc] init];
DBResult *result = [zxcvbn passwordStrength:password userInputs:userInputs];

The DBResult includes a few properties:

result.entropy          // bits

result.crackTime        // estimation of actual crack time, in seconds.

result.crackTimeDisplay // same crack time, as a friendlier string:
                        // "instant", "6 minutes", "centuries", etc.

result.score            // [0,1,2,3,4] if crack time is less than
                        // [10**2, 10**4, 10**6, 10**8, Infinity].
                        // (useful for implementing a strength bar.)

result.matchSequence    // the list of patterns that zxcvbn based the
                        // entropy calculation on.

result.calcTime         // how long it took to calculate an answer,
                        // in milliseconds. usually only a few ms.

The optional userInputs argument is an array of strings that DBZxcvbn will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user's personal info can be heavily penalized. This list is also good for site-specific vocabulary.

Acknowledgments

Thanks to Dropbox for supporting independent projects and open source software.

A huge thanks to Dan Wheeler for the original CoffeeScript implementation. Thanks to Ryan Pearl for his Python port. I've enjoyed copying your code :)

Echoing the acknowledgments from earlier libraries...

Many thanks to Mark Burnett for releasing his 10k top passwords list:

http://xato.net/passwords/more-top-worst-passwords

and for his 2006 book, "Perfect Passwords: Selection, Protection, Authentication"

Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists

Last but not least, big thanks to xkcd :) https://xkcd.com/936/

GitHub

https://github.com/dropbox/zxcvbn-ios
Comments
  • 1. Added Singleton Object to load generated Data

    This adds the singleton object so memory doesn't grow to huge amounts. Look at what functions I moved into the new object so see if any are not needed in the standard DBMatcher Ojbect

    Reviewed by jessemx109 at 2014-09-25 02:31
  • 2. It gets very slow for some password lengths

    For password testScorePassword123 it takes 0.5 sec to compute the score, which is A LOT!

    It looks like there is some high complexity algorithm, cause time grows exponentially after some length.

    Reviewed by duzun at 2014-09-18 03:31
  • 3. Unintuitive import syntax when using as dynamic framework

    Because of the - character in this cocoapod's name, the generated framework is named zxcvbn_ios. The required import to use this pod is then:

    #import <zxcvbn_ios/DBZxcvbn.h>
    

    Would be nice if this were documented somewhere (or if the name matched convention: <zxcvbn/zxcvbn.h>).

    Reviewed by erikackermann at 2015-10-06 14:46
  • 4. Need for data for framework to work

    From what I can tell you don't need to include the data html files with the code for it to work properly. You should say these are optional in the readme so that you don't have to include 10mb of extra files in your app release to the market

    Reviewed by jessemx109 at 2014-09-25 02:34
  • 5. Wrong NSRange calculations in [DBMatcher sequenceMatch]

    Steps to reproduce:

    • run demo app (after removing the code from AppDelegate)

    • enter text in password field, select all, delete, enter text

    • eventually the app will crash:

      *** Terminating app due to uncaught exception 'NSRangeException', reason: '-[__NSCFString substringWithRange:]: Range {11, 1} out of bounds; string length 11' *** First throw call stack: CoreFoundation 0x0000000101944bbd -[__NSCFString substringWithRange:] + 125 Zxcvbn 0x0000000100009788 __26-[DBMatcher sequenceMatch]_block_invoke + 1816

    Reviewed by tagyro at 2014-05-01 13:56
  • 6. Use bundleForClass instead of mainBundle

    Getting the resource paths for adjacency_graphs.json and frequency_lists.json returns nil when zxcvbn-ios is in a framework. Replacing [NSBundle mainBundle] with [NSBundle bundleForClass:[self class]] solves this problem and works for zxcvbn-ios when is in the main application or in a framework.

    This problem can easily be seen by adding zxcvbn-ios to a project via CocoaPods with the use_frameworks! option in the Podfile.

    Reviewed by Quentiu at 2016-04-27 18:12
  • 7. 1.0.2 release has incorrect version in podspec

    The podspec here: https://github.com/dropbox/zxcvbn-ios/blob/1.0.2/zxcvbn-ios.podspec still references 1.0.1. Thus, it is not possible to pull in latest changes in 1.0.2 via cocoapods.

    Reviewed by erikackermann at 2015-05-15 14:59
  • 8. Add missing [super awakeFromNib] call

    I was getting the following warning DBPasswordStrengthMeterView.m:47:1: warning: method possibly missing a [super awakeFromNib] call [-Wobjc-missing-super-calls], thus added the missing call to [super awakeFromNib].

    Reviewed by aschuch at 2017-01-16 15:29
  • 9. Add dynamic framework target

    Sorry for the rather large diff but there isn't much middle ground. The project should continue to be usable by source / CocoaPods (though someone should verify the podfile tweaks are accurate) but now also offers a dynamic framework (iOS 8+) for easy integration via Carthage. The PR reorganizes the files a bit and makes a couple fixes. Zxcvbn.xcodeproj and /Zxcvbn now only contain the primary source files and the example project has been moved to iOS Example.xcodepoj and /Example.

    In addition to file moving, two small fixes were made:

    • The JSON resources are fetched from the bundle by class rather than main bundle (mentioned in dropbox/zxcvbn-ios#16)
    • A couple of imports were missing that were previously provided via precompiled header
    Reviewed by pizthewiz at 2015-10-27 00:40
  • 10. Any chance to port this into Swift?

    I tried to bridge this into Swift but it crashes when instantiate it. What a shame. Any chance to port this project into Swift? It would be very useful.

    Reviewed by houmie at 2020-05-31 17:25
  • 11. Wrong score

    The zxcvbn-ios library does not give the proper score when compared to the original library. This is probably due to the fact that the following files are not the same as their equivalent in the original zxcvbn library:

    • adjacency_graphs.json
    • frequency_lists.json
    Reviewed by asiby at 2020-01-11 06:02
  • 12. The iOS port of the Zxcvbn library is caching values

    When using the zxcvbn-ios library and calling the scorePassword:userInputs method several times with varying user inputs, the previous values of the user input can no longer be used as strong password anymore. Their score will drop to zero ... which is an indication that they are present in the user input.

    I have a pull request that I will soon submit.

    Reviewed by asiby at 2020-01-11 05:58
  • 13. zxcvbn-ios scores password differently than zxcvbn

    Hi Leah. Thanks for porting this to iOS. I came across a potential issue:

    The password 2-UbvR, for example, is scored differently on zxvcbn-ios vs. Dropbox's online zxcvbn test.

    Dropbox's online test: screen_shot_2016-06-15_at_12_45_33_pm

    zxcvbn-ios: screen shot 2016-06-15 at 12 53 38 pm

    Any idea why the iOS version would score a password differently?

    Reviewed by dylanhand at 2016-06-15 11:05
Related tags
Native and encrypted password manager for iOS and macOS.
Native and encrypted password manager for iOS and macOS.

Open Sesame Native and encrypted password manager for iOS and macOS. What is it? OpenSesame is a free and powerful password manager that lets you mana

Jun 26, 2022
Simple command line to generate random password.

pwgen Simple command line to generate random password. ➜ Bootstrap pwgen n5aR[[email protected]@fj ➜ Bootstrap pwgen 32 f0)th54[wpX.Zf99nj

Feb 3, 2022
Private Password Manager developped with Swift for iOS project.
Private Password Manager developped with Swift for iOS project.

Private Password Manager developped with Swift for iOS project. This manager can syncronize secret data to Azure Blob Storage. To specify user account, tSecret use Azure Active Directory authentication.

Dec 3, 2021
KeePassium is a KeePass-compatible password manager for iOS
KeePassium is a KeePass-compatible password manager for iOS

KeePassium is a KeePass-compatible password manager for iOS. It offers automatic database synchronization, respect to privacy and premium user experience.

Jun 20, 2022
PassDrop is a fully-featured secure password management system, compatible with the free KeePass 1.x (Classic) and multi-platform KeePassX desktop applications.

passdrop This is a modern, updated build of Rudis Muiznieks's PassDrop application. PassDrop is a fully-featured secure password management system, co

Feb 23, 2022
Simple, secure password and data management for individuals and teams

Padloc Simple, secure password and data management for individuals and teams (formerly known as Padlock). This repo is split into multiple packages: P

Jun 20, 2022
Cybr/Secure - A simple but powerful secure password generator
Cybr/Secure - A simple but powerful secure password generator

A simple but powerful secure password generator. You get the option of password length (10 to 20 characters) and whether you include numbers, symbols, uppercase and/or lowercase letters. Simply tap the lock icon to generate a secure password and then tap to copy the password.

Feb 16, 2022
Password generator and strength tester
Password generator and strength tester

Password-Generator Password generator and strength tester Description This was a

Feb 1, 2022
A custom TextField with a switchable icon which shows or hides the password and enforce good password policies
A custom TextField with a switchable icon which shows or hides the password and enforce good password policies

PasswordTextField A custom TextField with a switchable icon which shows or hides the password and enforces good password policies, written in Swift. ⭐

Apr 26, 2022
A realistic reflective shimmer to SwiftUI Views that uses device orientation. Position any View relative to device orientation to appear as if through a window or reflected by the screen.
A realistic reflective shimmer to SwiftUI Views that uses device orientation. Position any View relative to device orientation to appear as if through a window or reflected by the screen.

A 3d rotation effect that uses Core Motion to allow SwiftUI views to appear projected in a specific direction and distance relative to the device in r

Jun 20, 2022
Provides an iOS view controller allowing a user to draw their signature with their finger in a realistic style.
Provides an iOS view controller allowing a user to draw their signature with their finger in a realistic style.

Swift version now available! Mimicking pen-on-paper signatures with a touch screen presents a difficult set of challenges. The rate touch events are e

Jun 14, 2022
The Effects Library allows developers to create sophisticated and realistic particle systems such as snow, fire, rain, confetti, fireworks, and smoke with no or minimal effort.
The Effects Library allows developers to create sophisticated and realistic particle systems such as snow, fire, rain, confetti, fireworks, and smoke with no or minimal effort.

The Effects Library allows developers to create sophisticated and realistic particle systems such as snow, fire, rain, confetti, fireworks, and smoke with no or minimal effort.

Jun 21, 2022
WifiView Pod can animate wifi signal strength
WifiView Pod can animate wifi signal strength

WifiView WifiView is animateable UIView that can significantly enhance your users’ experiences and set your app apart from the rest of the pack. It is

May 16, 2022
A CLI tool for the survey of the SSH-Key strength in your GitHub organization members.

GitHub organization SSH-keys checker A CLI tool for the survey of the SSH-Key strength in your GitHub organization members. Requirements macOS 12.0+ S

Dec 11, 2021
This widget displays a weight and a label. It can be used in the summary view for a strength assessment.
This widget displays a weight and a label. It can be used in the summary view for a strength assessment.

Strength Assessment Widget - Flutter Modern UI engineering is all about components. When we build components to be reusable, we enable faster iteratio

Feb 18, 2022
Native and encrypted password manager for iOS and macOS.
Native and encrypted password manager for iOS and macOS.

Open Sesame Native and encrypted password manager for iOS and macOS. What is it? OpenSesame is a free and powerful password manager that lets you mana

Jun 26, 2022
A panel component similar to the iOS Airpod battery panel or the Share Wi-Fi password panel.
A panel component similar to the iOS Airpod battery panel or the Share Wi-Fi password panel.

A SwiftUI panel component similar to the iOS Airpod battery panel or the Share Wi-Fi password panel.

Feb 7, 2022
Native and encrypted password manager for iOS and macOS.
Native and encrypted password manager for iOS and macOS.

Open Sesame Native and encrypted password manager for iOS and macOS. What is it? OpenSesame is a free and powerful password manager that lets you mana

Jun 26, 2022
Simple command line to generate random password.

pwgen Simple command line to generate random password. ➜ Bootstrap pwgen n5aR[[email protected]@fj ➜ Bootstrap pwgen 32 f0)th54[wpX.Zf99nj

Feb 3, 2022
Private Password Manager developped with Swift for iOS project.
Private Password Manager developped with Swift for iOS project.

Private Password Manager developped with Swift for iOS project. This manager can syncronize secret data to Azure Blob Storage. To specify user account, tSecret use Azure Active Directory authentication.

Dec 3, 2021