Wednesday, February 28, 2007

Password strength meter

You hate the MSN butterfly logo, right? Me too. So like the rest of the JFKBits readers and this author, you avoid anything that ever says MSN. That's fine, I think we're better for not knowing about "Shoe Trends for Spring" and "5 ways to see if you have found your other half", at least MSN-style.

But until just now, when I went to sign up for a Windows Live webcast, where they use the same account creation mechanism as for MSN, I didn't know about a cool feature in the account setup page.

As you type your chosen account password, they have Javascript code that calculates the password strength and shows a 3-level, color-coded bar graph (weak, medium, strong).

Type...

Type...

Type. Done, strong password.


Of course, we don't know how good their algorithm is for determining strength, but if it's deficient somehow that can be improved. For the instant feedback and simple visuals, I think this idea is a winner.

1 comment:

Anonymous said...

by using firefox to view the javascript applying to the current page and doing some searching through the code for the strength meter i found the code to be located at: https://account.live.com/JS/pswdplc.js?amx=11.0.7011.1

the important stuff is:
function ClientSideStrongPassword(a)
{
Init();
return IsLongEnough(a, "7") && SpansEnoughCharacterSets(a, "3") && !IsCloseVariationOfAWordInDictionary(a, "0.6", gSimilarityMap, gDictionary)
}
function ClientSideMediumPassword(a)
{
Init();
return IsLongEnough(a, "7") && SpansEnoughCharacterSets(a, "2") && !FoundInDictionary(a, gSimilarityMap, gDictionary)
}

function ClientSideWeakPassword(a)
{
return IsLongEnough(a, "6") || !IsLongEnough(a, "0")
}
---------------------
and if you look at the .js file you'll see there's a rather long dictionary defined... almost 18kb of it! and it also checks for similar characters such as (3, e) and ($, s). so i'd conclude that its quite good indeed.