Back in 2012, Dan Wheeler and Dropbox released the excellent zxcvbn, a password strength estimator inspired by password crackers, under an Open Source license. Pretty well done, fast and easily added to Web sites and Web apps, we at Privowny started being very interested by zxcvbn despite of a few issues:
- it's en-US only, with keyboard definitions only for the US and word frequency lists only for the US
- return text messages are not localized and not easily localizable
- the transpiled JS is not easily readable nor easily extensible
- simpler to hack, maintain, extend. We also cleaned up a few things.
- far easier to internationalize. We added word frequency lists and AZERTY keyboard adjacency lists for fr-FR. Adding your own language is now just a matter of building lists and adding your data to two much more readable files.
- the warning and suggestions returned by zcvbn can now be very easily localized in any language (default is "en" but that's trivial to change). We added L10N for french.
- we also integrated the fast, reliable HaveIBeenPwned Password API, as an optional extra. Troy Hunt, behind HaveIBeenPwned, just rocks! There is then a new score value of
-1indicating a leaked password.