Password MeterFor those of you who might have missed my previous entry and the history behind passwordmeter.com, feel free to read about it here. For the rest of you, you’ll be happy to know that I finally got around to adjusting the algorithms in the Password Meter script. My original update was to be a single html page with javascript, css and even images embedded. This would have made it really easy to download and deploy in virtually any environment. However, due to a lack of support for base64 image conversion in earlier versions of Internet Explorer, I was forced to include a separate directory for images. Since I had to create a separate directory for images, I opted to extract the Javascript and CSS code as well, and place each into its own respective directory. So the final download is actually a zip file that contains the main page and all supporting scripts, images and stylesheets, plus a copy of the GPL license.

In addition to generally cleaning up the code a bit and adding penalties for repeat symbols, the main update to the script was done to alter the method used to calculate deductions for repeat characters. This has been an issue since version 1.03 was deployed and was never addressed until now. I originally used an exponential formula to penalize users for adding the same character more than once to their password. As the number of identical characters increased, the penalty became more and more severe – to the point where users would end up with a score of zero, despite having a reasonably difficult password. I realized the flaw shortly after I deployed it but never got around to fixing it due to other projects getting in the way.

In the latest version, repeat characters are still penalized. But the formula is now based on proximity to other identical characters where further distance means less deduction. I also accounted for the total number of unique characters and weighed that number into the calculation as well. So if you have a 12 character password that consists entirely of unique alpha-numerics and symbols, then add a string of 14 “x”s to the end, the deduction penalty for the repeat characters is significantly reduced. Being that the password meter utility is run entirely on the client side, I’m still limited to the tools that Javascript can provide, so it’s still not quite as accurate as I’d like it to be. But this new version should be a lot more accurate than the previous releases in terms of applied penalties and total score calculation.

I am planning to rebuild the passwordmeter.com site some time in the next week or so. Nothing major is planned but I need to revamp it a bit to support the new code base as well as the ability to add new blog entries that are specific to the password meter code. The download link will also be changed so that it points back to the software repository here at Meta Beta Geek. In the mean time, while you’re waiting for the passwordmeter.com site to be updated, you can download the code directly. For downloading, just select the “MBG PWDMeter Package” from the software list. Please let me know if you notice any glaring bugs or issues with the new 2.0 release.

UPDATE:

The scripts and links at passwordmeter.com have now been updated.

Cheers,

Jeff @ Meta Beta Geek

  1. [...] Password Meter version 2.0 is now available for demo or download. [...]

  2. Ali says:

    Download link have been sent by E-mail is not working!

  3. Peter says:

    I tried downloading the code from http://metabetageek.com/software/. I was emailed http://metabetageek.com/lib/downloads/?uid=9668f47babf354c11f09d8fd376f3d20 but when i go there i just get redirected back to http://metabetageek.com/software/. Help?

  4. Jeff says:

    Ali,

    I just checked the code that sends the download emails. I use Firefox as my primary browser and it seems to work fine. But I also checked in Internet Explorer and it appears that IE doesn’t automatically start the download. If you paste the link directly in IE then it will work. I will try and update the code to include the direct link in the email as well as a quick-click link (Download this package now) for Firefox users.

  5. Jeff says:

    Peter,

    The download links are only good for 24 hours so if you attempt to download it after that time you will be redirected to the software form again. You should be able to re-submit the form again and a new link will be created.

  6. Kerry says:

    Hi Jeff,

    Your links are not working. I just got an email sent to me, I clicked on the download link then went straight to the URL, didn’t work, had the same problem as Ali where it redirected me.

    I then filled it out again and tried the other email (both within 5 minutes or so). Didn’t work.

    I am using Firefox 3.6.3 and I also tried Google Chrome, neither worked.

  7. Jeff says:

    Hi Kerry,

    Download links are tied to the IP address that originally made the software request (ie; filled out the form). Unfortunately, this does prevent someone from forwarding links to a non-registered user. Filling out the form only takes a few seconds and helps me track the total number of unique downloads and general interest in the software. Hope this helps and thanks for your comment!

  8. Cavell says:

    Hi Jeff,

    I like you password meter but I’m also having the same problems as Kerry and Ali. I signed up in Firefox, opened the link it sent me in Firefox and it redirected me. This was all from the same computer within minutes. IP address did not change. Just curious if this has been fixed yet.

    Thanks

  9. Cavell says:

    Oops! I meant to type “your password meter” not “you password meter”

  10. Neo says:

    I’d like to know how i could download it because, as other, i can’t download it. Clicking on the link received by email automatically redirect on this page http://metabetageek.com/software/ and i can’t download nothing, i can only re-submit the form!

  11. Neo says:

    Is possible to use only bar indicator with a password field and without all others information? Because if i remove all others information it doesn’t work…

  12. 컬크팃 says:

    Jeff,

    Your links are not working. I filled out the form, I opened my e-mail, I tried the link, it did not work. It is from the same IP address, it is within minutes, nevermind 24 hours.

  13. Hey Jeff,

    GREAT site! And awesome password script.
    I’d really like to use this with my users on our Intranet. I’m afraid, however, that the email I got below a few minutes ago doesn’t work with the same browser and proxy settings I used to fill out your request form. When I go to the link the site redirects me to http://metabetageek.com/software/.
    Any hints?

  14. MikeP says:

    Hey Jeff, something still seems a bit off – FF 3.6, I just get redirected back to the register page as well, and I’m definitely using the same computer to register and attempt the download. I can help out with debugging if you like, I’ve great interest in projects like these and would love to see yours flourish. :-)

  15. amateri says:

    Friend of mine recommend me to visit your website, I found the this what I looked for . Thank you

  16. Gounlaf says:

    Hi,

    I have convert your script in PHP, because I think it can be usefull =)
    Contact me if you want to see it ^^

    Ps : like other guyrs, downloadlink doesn’t work on Firefox.

  17. Colin says:

    I’ve just tried using your software download form a half dozen times from different computers and browsers (always the same browser and computer for each individual request). None have succeeded, with the download links being redirected back to the software form. Most frustrating. Can you help me out with this?

  18. James says:

    I’m not sure if you’re still having issues with the links in the email or not, but I’m still having issues. I filled out the request form, got the email less than a minute later, clicked the link, then got redirected to the same form. Rinse, repeat, same thing.

  19. Jeff says:

    I’d like to apologize to everyone who has contacted me about the e-mail links not working correctly. Unfortunately, I’ve been quite busy with other projects and have had little time to address this issue. The links continue to work for me as well as others who have tried them but some of you are still having a problem. If you do run into an issue with the download links, please provide as much detail as possible. Knowing the specific operating sytem and web browser versions will help me to determine what the specific issue is in these cases. As always, any feedback is appreciated, so thank you all for your interest!

    Cheers,

    Jeff

  20. Pedro says:

    Hi Jeff

    The same issue from mi side, using Windows 7 Ultimate + Firefox 3.6.3, I got the email and inmediately I tried to download the software, but inmediately my browser was redirected to http://metabetageek.com/software/.

    Thinking about any kind of reaction to my NoScript addon, I enabled globaly Javascript (I still have my hair standing on end) and tried again (And even with another email address) but still the same behaviour…

    TIA for your efforts.

    Best regards,
    Pedro

  21. I filled out the online form to get the code for the password strength meter (actually twice on accident) and the links in the email just lead me back to the main page of the website (http://metabetageek.com). I can never get to the download because the links seem to be sending me to a new location (home page) instead of the download.

    OS: Windows XP Pro, Service Pack 3
    Browser: Firefox 3.6.6 and IE 7.0.5730
    Email Client: MS Outlook 2003 Professional Edition

    I’m glad I saw your post – I thought I was going crazy! Thanks!

  22. Another person who can’t download the package. I just get sent to the download form page instead. Win 7, Firefox 3.6.6.

  23. fadnis says:

    By the way i tried the links in Opera 10.50, IE 8 and FF 3.5.10 and failed to download the OS is windos xp sp2, please can you suggest me the other ways to downolad it?

  24. David says:

    Jeff,

    I’m having the same issues as those above. Tried twice with two different emails, and I keep getting redirected back to the form entry page. Clicked through less than 60 seconds after getting the email, and from the same PC (I’m on a corporate network). Tried FF 3.6 and IE 6, both with same result.

  25. Simbo says:

    I’m having the same issues like James. Opening the link in the mail redirects me to the blank download form. I’m using Firefox 3.6.8 on Ubuntu 10.04.
    You should have my email address now in your WordPress admin area. I would appreciate if you could just mail me the software, please. I’m tired of trying to download and i really need this piece of code. Thank you!

  26. Bob says:

    Jeff, I’m getting all the same problems as everyone else. I just get re-directed to the form page. Using Fire Fox 3.6.8 and IE Explorer V8.0.7600.16385. Using Windows7 Professional 32-bit

  27. Joe Querin says:

    I have tried on multiple occassions to download your password meter scripts and have not been able to. I’ve tried to paste the links from the email directly into IE 8, IE 8 with comptability mode turned on, FireFox 3.6.8, Google Chrome 5.0.375.99 and I can’t get a download to start for nothing.

    I would love to implement this in my current project but I can’t get to the download for nothing. I’ve tried multiple times to do this from our campus, maybe our firewall is causing an issue.

    Is it possible to just send the code to my email address above?

  28. Marlus Lopes says:

    i’m having the issue with the downloads.
    OS:Win7 x64
    Browsers:
    Chrome x32 5.0.375.126/6.0.493.0
    Firefox x32 3.6.8/4.0 beta 3
    IE 8 x32/x64
    IE 9 x32 Plataform Preview 4

  29. Stu says:

    I’ve tried to download this package twice, but the links I get sent just takes me back to the registration page. I’m using IE8 and Windows 7

  30. salim says:

    Hello,

    I just received the follwing download link for pwdmeter:

    http://metabetageek.com/lib/downloads/?uid=a397ad0625e303319e19a34df3b57350

    This link does not allow any download, it is redirected to the download form it just filled before.

  31. I have the same problem with downloads described by others above. I get redirected back to the download form. Running MacOS 10.6.4 and Firefox 3.6.9. Reproduced the problem with Firefox 4beta5, Safari 5.0.2, and Chrome 6.0.472.55

  32. I’m writing some consumer education pieces on passwords for Mozilla, so I’ve been reading through some of the literature on password strength. There is an argument made in some places that having a repeat character in the password increases the security a bit by making a “peek over the shoulder at the keyboard attack” somewhat harder.

    Any thoughts on this?

  33. …went back and filled out the software form again (using Firefox 3.6.9) and got a different download key. It worked this time. The previous multi-browser tests were made by pasting the original download URL into the various browsers.

  34. Will says:

    I just tried the download links from two different computers on two different networks. Both were tested with FF 3.6.9 and the most recent build of IE for Windows XP and Windows 7 (x64). All failed with the “Back to Form” redirect others have reported.

    Your software seems really interesting, and I hope to get a chance to look more closely at it.

    Thanks,
    Will

  35. Paul McGrath says:

    Hi Jeff,
    I have just completed a software download request and neither of the links worked. I clicked on them as soon as the email was delivered which was seconds after I completed the form.
    I am on Windows 7 64bit with Firefox 3.6.9. My email client is Outlook on an Exchange server. I completed the form from the same computer that I clicked the email links on so the ip address is the same.
    Paul

  36. Jeff says:

    Okay, again I’d like to apologize for the delayed support on the download issues. Coding is a spare-time project for me and due to a recent family addition, I’ve been a bit short on time and energy. I believe I’ve resolved the download issues for good now. Thanks to everyone for leaving your system specs and info. This helped tremendously in the troubleshooting process. Please let me know if you have any further difficulties obtaining any of the software here at MetaBetaGeek.

    Thanks for all your feedback,

    Jeff

  37. Jeff says:

    @Richard Milewski: The algorithms used in Password Meter are of my own making and design, based on my own experience as a developer and a systems administrator. The previous version of the script was set to penalize users based on the frequency of repeat characters only. This caused a problem because the score would drop dramatically for every repeat character, regardless of the number of unique characters. The revised edition now takes ALL of the characters into account and balances the unique point values with those of the repeat characters. So while it does discount for repeat characters in the latest version, the penalty is significantly reduced when a larger number of unique characters is present. This seemed to be the best compromise in my estimation. But I’m certainly open to other ideas or approaches on the subject. Thanks for your feedback!

  38. Jeff says:

    @Neo: The current version of Password meter is a packaged file, designed to work as a whole piece, rather than as individual parts. So this request would fall outside of the original intent and scope of this project.

    @Brett Charbeneau: Thanks for your enthusiastic feedback! Hopefully you won’t see any more issues getting the latest updates now that the download problem has been fixed.

    @MikeP: I appreciate the offer Mike. I’ve just been a bit busy with life outside of the coding world for a bit. Now that things are a little less hectic, I’m hoping to get back into development a bit more.

    @amateri: Glad I could help. Please feel free to recommend MBG software to anyone you think might benefit. It’s completely free after all, and I really like knowing that I can give back a little to the open source community.

    @Gounlaf: I’m always interested in seeing modified versions of my code so feel free to leave a link in the comments section once it’s avaialble online.

    @Colin: I’m sorry for the unnecessary frustration that you and others have experienced. I recently updated the download scripts so the problems of the past should now be fixed.

    @Carol Schanzmeyer: No, Carol, you’re not going crazy. LOL. I had an issue with random IP assignment behind the scenes that was causing issues. It should be fixed now.

    @Will: Sorry for the problems downloading. Now that the issue has been fixed I hope you get a chance to try it out as well.

    @Everyone: I’d like to thank everyone who was kind enough to leave feedback. Positive or negative, it helps me to troubleshoot and improve the end product. I hope everyone enjoys the projects here at MetaBetaGeek and I look forward to further feedback in the future.

    Cheers,

    Jeff @ MetaBetaGeek

  39. Paul McGrath says:

    Hi Jeff,
    I tried the link in yesterdays email again this morning (before 24 hours expired) and it worked. Thanks you for your patience and an excellent useful tool.
    Regards
    Paul

  40. Jeff says:

    @Paul McGrath: Glad to hear it, Paul. Let me know if you have any further questions or problems with the software.

  41. drifter says:

    Hi

    I downloaded your password meter without problems, and it rocks! I have to change it to fit into my Joomla!/Mootools site though.

    Two questions I have are:

    What does the following line do, since var nd is not referenced again it seems:

    Line 57
    if (document.all) { var nd = 0; } else { var nd = 1; }

    and also is there supposed to be two closing brackets in the following:

    Line 53
    var sSymbols = “)!@#$%^&*()”;

    I hope the code shows up else you can find it on the line numbers I included.

    thanks

    drifter

  42. Jeff says:

    @drifter: Thanks for the props! To answer your questions, line 57 is actually a line of code left over from the first version. The “nd” variable was used to define node count within the DOM. In earlier versions of IE, carriage returns were ignored but Firefox and other browsers recognized this is a text node. So traversing the DOM become problematic unless you accounted for the difference. Regarding the symbols variable… there are some additional symbols missing, yes. But my main concern was that someone might just hold down the SHIFT key and start typing across the top row of numeric keys to generate a password. So symbols like curly braces, square brackets and greater/less than symbols become less of an issue because they aren’t considered consecutive (relative to the QWERTY keyboard layout). I realize now that I should probably add the tilde, plus and minus to the list though. So thanks for the tip!

    Cheers,

    Jeff

  43. IMRAN says:

    Just downloaded your software. It rocks, I like it very much. Probably use it on my new website. Thanks.

  44. Jeff says:

    @IMRAN: Good to hear it, thanks!

  45. NMC Developer says:

    Hi,
    A big thanks for doing this! Really appreciate it.

    I’m running into a couple of JavaScript errors (as reported by Safari):
    TypeError: Result of expression ‘$(arrZeros[i])’ [null] is not an object. pwdmeter.js:325

    TypeError: Result of expression ‘$(“nLengthBonus”)’ [null] is not an object. pwdmeter.js:158

    Any idea what could be going on?
    The page I’m trying to use it on is inside an iframe.

  46. Jeff says:

    @NMC: Sorry, I guess I missed this comment when it came in. In case you’re still having difficulties with this error, I’ll fire up Safari and take a look. I’ll post back once I troubleshoot a bit more.

  47. Dave says:

    What is the purpose of the urchin tracking code in the password meter distribution? can this be removed within the GPL v3 agreement?

    I’m primarily interested in leveraging the scoring algorithms.

  48. Jeff says:

    Thanks for the comment, Dave. The urchin tracking code was only included by accident in earlier versions of the code. It should no longer be present in the latest version for download here at the site but if you download elsewhere you might find it still exists. Its presence one way or the other does not affect licensing and if you do find it within the code, please feel free to remove it since it was only used on the original passwordmeter.com for tracking metrics.

  49. kevin says:

    Hi Jeff,

    Great job on this !

    have a question: this doesn’t work, if the table “tablePwdStatus” is removed. How can we make this work without that table on the html page.

    Thanks,
    -Kevin.

  50. Jeff says:

    Thanks for the feedback, Kevin. At the moment, the html table is somewhat integral to the code as it provides the visual updates as the user types their password. I’m sure it could be removed but the code would need some re-working to avoid Javascript errors. If you look through the code for sections commented with “… set image indicators accordingly“, these are sections where the table cells get updated. You would need to keep any code that involves multipliers (for the final scoring) but the rest of the html-related code could be removed from these sections without consequence. That should leave you with the basic scoring code that could then be applied in a different manner.