Back in 2012, Dan Wheeler and Dropbox released the excellent zxcvbn, a password strength estimator inspired by password crackers, under an Open Source license. Pretty well done, fast and easily added to Web sites and Web apps, we at Privowny started being very interested by zxcvbn despite of a few issues:

  • the JavaScript code is transpiled from CofeeScript, and there are too many globals and old quirks made to accomodate old browsers we're not interested in
  • it's en-US only, with keyboard definitions only for the US and word frequency lists only for the US
  • return text messages are not localized and not easily localizable
  • the transpiled JS is not easily readable nor easily extensible
So we decided to rewrite it in a more modern JS:
  1. simpler to hack, maintain, extend. We also cleaned up a few things.
  2. far easier to internationalize. We added word frequency lists and AZERTY keyboard adjacency lists for fr-FR. Adding your own language is now just a matter of building lists and adding your data to two much more readable files.
  3. the warning and suggestions returned by zcvbn can now be very easily localized in any language (default is "en" but that's trivial to change). We added L10N for french.
  4. we also integrated the fast, reliable HaveIBeenPwned Password API, as an optional extra. Troy Hunt, behind HaveIBeenPwned, just rocks! There is then a new score value of -1 indicating a leaked password.
Since the original code was OSS and to thank Dan and Dropbox for their original contribution, Privowny is now giving back its fork and is glad to release zxcvbn-pv under the very same original license on Github. Pull Requests, suggestions, comments, all highly welcome! We feel it's already usable but don't be too surprised if you still find an issue or a bug. Just let us know on GH? Thanks!