Password MeterFor those of you who might have missed my previous entry and the history behind passwordmeter.com, feel free to read about it here. For the rest of you, you’ll be happy to know that I finally got around to adjusting the algorithms in the Password Meter script. My original update was to be a single html page with javascript, css and even images embedded. This would have made it really easy to download and deploy in virtually any environment. However, due to a lack of support for base64 image conversion in earlier versions of Internet Explorer, I was forced to include a separate directory for images. Since I had to create a separate directory for images, I opted to extract the Javascript and CSS code as well, and place each into its own respective directory. So the final download is actually a zip file that contains the main page and all supporting scripts, images and stylesheets, plus a copy of the GPL license.

In addition to generally cleaning up the code a bit and adding penalties for repeat symbols, the main update to the script was done to alter the method used to calculate deductions for repeat characters. This has been an issue since version 1.03 was deployed and was never addressed until now. I originally used an exponential formula to penalize users for adding the same character more than once to their password. As the number of identical characters increased, the penalty became more and more severe – to the point where users would end up with a score of zero, despite having a reasonably difficult password. I realized the flaw shortly after I deployed it but never got around to fixing it due to other projects getting in the way.

In the latest version, repeat characters are still penalized. But the formula is now based on proximity to other identical characters where further distance means less deduction. I also accounted for the total number of unique characters and weighed that number into the calculation as well. So if you have a 12 character password that consists entirely of unique alpha-numerics and symbols, then add a string of 14 “x”s to the end, the deduction penalty for the repeat characters is significantly reduced. Being that the password meter utility is run entirely on the client side, I’m still limited to the tools that Javascript can provide, so it’s still not quite as accurate as I’d like it to be. But this new version should be a lot more accurate than the previous releases in terms of applied penalties and total score calculation.

I am planning to rebuild the passwordmeter.com site some time in the next week or so. Nothing major is planned but I need to revamp it a bit to support the new code base as well as the ability to add new blog entries that are specific to the password meter code. The download link will also be changed so that it points back to the software repository here at Meta Beta Geek. In the mean time, while you’re waiting for the passwordmeter.com site to be updated, you can download the code directly. For downloading, just select the “MBG PWDMeter Package” from the software list. Please let me know if you notice any glaring bugs or issues with the new 2.0 release.

UPDATE:

The scripts and links at passwordmeter.com have now been updated.

Cheers,

Jeff @ Meta Beta Geek

  1. kevin says:

    Thanks, Jeff.

    Also, this is conflicting with the jquery library. Any plans to making this into a jquery plug-in ? That would be great..

    - Kevin.

  2. Jeff says:

    Kevin,

    You should be able to fix the jQuery conflict pretty easily by replacing all single $ instances with a $$, within the Password Meter code. That should fix your conflicts. Also, you might try searching jQuery’s web site for a similar plug-in. It might save you some time rather than altering my code. Unfortunately, my free time isn’t what it used to be, so updates are a bit on the slow side. :)

    The current Password Meter code could definitely still use some tweaking (especially the scoring algorithm) and eventually, I’d like to build a similar tool using entropy rather than rely on the traditional password formulation requirements currently used in the industry. But it will probably be awhile before that happens. Password Meter was a mini-project that I quite literally wrote on a Saturday afternoon but based on a lot of the comments, I think some folks forgot to read the disclaimer at the bottom of the page. ;)

  3. Magomed says:

    Hello! Can I use your The Password Meter on our website?
    I would like to translate the interface into Russian, and the rest will leave as is and put a link to your site http://www.passwordmeter.com.
    Thank you in advance for your reply

  4. Jeff says:

    Magomed,

    The source code for Password Meter is open source and available for use under GNU General Public License.

  5. Stefaniu Criste says:

    Hello

    thanks for your software.
    Translated into Romanian for our own site.

  6. Bret W says:

    I’d suggest just one add-on to your Password meter – Which I really like your work BTW:

    Enter not only the password to test, but ask the user questions like:
    How many places have you used this password?

    I’d actually suggest breaking it into large and small sites. Sites like Yahoo, Chase, etc, are pretty unlikely to scalp your password and try to hack with it, but tiny sites might. So, your score should get smaller and smaller the more the password is reused. I’d expect a few points off for each large site, and large points off for small sites.

    The risk is different – small sites are easier to hack, but generally don’t get hacked. The greater risk is you will give your password to an unscrupulous site (porn or “warez” being the worst). That site can then try your password on other larger (or related) sites.

    The large sites have little hacking risk, but not 0. Since they are big, they are likely to be attacked, but unlikely to succeed. But, when an attack succeeds, they could then use the password across multiple large sites very quickly and do major damage.

    Just thought you might find the idea interesting.

    -Bret

  7. Tom says:

    Does your passwordmeter software complete the evaluation of a potential password on the local PC or do the computations take place at meta beta geek? I surely wouldn’t want to “transmit” my passwords over the web!

    Regards
    Tom Brennom

  8. Jeff says:

    Tom,

    I understand your concern. Rest assured that all password evaluations occur on the client end using Javascript. At no time is the password transmitted anywhere beyond your local machine.