This crate was inspired by the CHBS Password Strength Checker, which itself was inspired by the go-password-validator. The difference to CHBS is that this crate is focussed on performance and minimal required memory allocation.
Many password checkers are wrong. It should not matter if a password must contain at least one upper, lower, digit and special character if it is long enough. What matters is the entropy of the password. The entropy refers to the number of brute-force guesses an attacker needs to crack the password. This will be measured in bits (the exponent n
in 2^n
). You can read more about it here: How To Correctly Validate Passwords.
To calculate the entropy, the CHBS Password Strength Checker and therefore this crate are removing palindromes, repeating characters and common sequences from the password before calculating the passwords entropy. All of these actions are only shrinking the size of the password. Therefore no additional memory is needed than exactly one local copy of the password. Everything is done in-place. If zeroing the local copy of the password is necessary, after the calculation is done, activate the feature zeroize
.
How to use:
use pw_entropy::PasswordInfo;
let password = "ThisIsASecret";
let entropy = PasswordInfo::for_password(password).get_entropy();
println!("Bits: {}", entropy);
>>> Bits: 74.1057163358342
The entropy of a password is calculated by log_2(base ^ length)
, where base
is the amount of characters the password could contain.
The base is a sum of the following groups, if the password contains at least one character of the group:
- 26 lowercase letters
- 26 uppercase letters
- 10 digits
- 5 replacement characters (
!@$&*
) - 5 separator characters (
_-.,
) - 22 other special characters (
"#%'()+/:;<=>?[\]^{|}~
)
Repeating characters like aaaaaaaaa
will only count as one a
. and the following common sequences will be entirely removed:
asdf
jkl;
;lkj
fdsa
asdfghjkl
asdf ;lkj
0123456789
qwertyuiop
qwerty
zxcvbnm
abcdefghijklmnopqrstuvwxyz
password1
password!
password
Password
assword
picture1
Picture1
picture
Picture
asdf
rty567
senha
abc123
Million2
000000
1234
iloveyou
aaron431
qqww1122
123123
If the password is a palindrome like Lagerregal
or abcdcba
the password will be cut in half.
For example: The password Password?
contains at least one character of the categories uppercase (26), lowercase (26) and digit (10). This sums up to a base of 26+26+10 = 62
and the length of the password is 9
. The entropy of the password would normally be log_2(62 ^ 9) = 53.587766793481876 bits
. But since Password
is a common sequence, the sequence will be removed (only the question mark is left), so the actual entropy this crates calculates is only log_2(22 ^ 1) = 4.459431618637297 bits
.
That depends. Take a look at this graphic to create an overview for yourself.