{"id":20159703,"url":"https://github.com/nowsecure/owasp-password-strength-test","last_synced_at":"2025-12-12T03:18:21.389Z","repository":{"id":14031967,"uuid":"16734196","full_name":"nowsecure/owasp-password-strength-test","owner":"nowsecure","description":"OWASP Password Strength Test for Node.js","archived":false,"fork":false,"pushed_at":"2018-08-06T13:41:23.000Z","size":271,"stargazers_count":246,"open_issues_count":11,"forks_count":57,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-08-09T12:51:38.940Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nowsecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-02-11T14:59:35.000Z","updated_at":"2025-05-01T03:52:07.000Z","dependencies_parsed_at":"2022-08-07T07:16:09.996Z","dependency_job_id":null,"html_url":"https://github.com/nowsecure/owasp-password-strength-test","commit_stats":null,"previous_names":["viaforensics/owasp-password-strength-test"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/nowsecure/owasp-password-strength-test","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nowsecure%2Fowasp-password-strength-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nowsecure%2Fowasp-password-strength-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nowsecure%2Fowasp-password-strength-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nowsecure%2Fowasp-password-strength-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nowsecure","download_url":"https://codeload.github.com/nowsecure/owasp-password-strength-test/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nowsecure%2Fowasp-password-strength-test/sbom","scorecard":{"id":695885,"data":{"date":"2025-08-11","repo":{"name":"github.com/nowsecure/owasp-password-strength-test","commit":"d52ec01ffee466996bcdc4e409881602dd23660a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":1,"reason":"Found 3/30 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 4 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T03:40:37.089Z","repository_id":14031967,"created_at":"2025-08-22T03:40:37.089Z","updated_at":"2025-08-22T03:40:37.089Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27675392,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-12T02:00:06.775Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T00:09:36.744Z","updated_at":"2025-12-12T03:18:21.365Z","avatar_url":"https://github.com/nowsecure.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"OWASP Password Strength Test\n============================\n`owasp-password-strength-test` is a password-strength tester based off of the\n[OWASP Guidelines for enforcing secure passwords][guidelines]. It is\nlightweight, extensible, has no dependencies, and can be used on the server\n(nodejs) or in-browser.\n\n`owasp-password-strength-test` is not an OWASP project - it is merely based off\nof OWASP research.\n\n[![Build Status](https://travis-ci.org/nowsecure/owasp-password-strength-test.svg)](https://travis-ci.org/nowsecure/owasp-password-strength-test)\n\n\nInstalling\n----------\n### Server-side (nodejs) ###\nFrom the command line:\n\n```sh\nnpm install owasp-password-strength-test\n```\n\n### In-browser ###\nWithin your document:\n\n```html\n\u003cscript src='owasp-password-strength-test.js'\u003e\u003c/script\u003e\n```\n\nFeatures\n--------\nThis module is built upon the following beliefs:\n\n1. [Passphrases are better than passwords][xkcd].\n\n2. Passwords should be subject to stricter complexity requirements than\n   passphrases.\n\nThus, the module:\n\n- **provides for \"required\" and \"optional\" tests**. In order to be considered\n  \"strong\", a password must pass _all_ required tests, as well as a\n  configurable number of optional tests. This makes it possible to always\n  enforce certain rules (like minimum password length), while giving users\n  flexibility to honor only some of a pool of lower-priority rules.\n\n- **encourages the use of passphrases over passwords**. Passphrases (by\n  default) are not subject to the same complexity requirements as a password.\n  (Whereby, by default, a \"passphrase\" can be defined as \"a password whose\n  length is greater than or equal to 20 characters.\")\n\n- **can be arbitrarily extended** as-needed with additional required and\n  optional tests.\n\n\nUsage\n-----\nAfter you've included it into your project, using the module is\nstraightforward:\n\n### Server-side ###\n```javascript\n// require the module\nvar owasp = require('owasp-password-strength-test');\n\n// invoke test() to test the strength of a password\nvar result = owasp.test('correct horse battery staple');\n```\n\n### In-browser ###\n```javascript\n// in the browser, including the script will make a\n// `window.owaspPasswordStrengthTest` object available.\nvar result = owaspPasswordStrengthTest.test('correct horse battery staple');\n```\n\nThe returned value will take this shape when the password is valid:\n\n```javascript\n{\n  errors              : [],\n  failedTests         : [],\n  requiredTestErrors  : [],\n  optionalTestErrors  : [],\n  passedTests         : [ 0, 1, 2, 3, 4, 5, 6 ],\n  isPassphrase        : false,\n  strong              : true,\n  optionalTestsPassed : 4\n}\n\n```\n\n... and will take this shape when the password is invalid:\n\n```javascript\n{\n  errors: [\n      'The password must be at least 10 characters long.',\n      'The password must contain at least one uppercase letter.',\n      'The password must contain at least one number.',\n      'The password must contain at least one special character.'\n    ],\n    failedTests         : [ 0, 4, 5, 6 ],\n    passedTests         : [ 1, 2, 3 ],\n    requiredTestErrors  : [\n      'The password must be at least 10 characters long.',\n    ],\n    optionalTestErrors  : [\n      'The password must contain at least one uppercase letter.',\n      'The password must contain at least one number.',\n      'The password must contain at least one special character.'\n    ],\n    isPassphrase        : false,\n    strong              : false,\n    optionalTestsPassed : 1\n}\n```\n\nWhereby:\n\n- `errors` is an `array` of `string`s of error messages associated with the\n  failed tests.\n\n- `failedTests` enumerates which tests have failed, beginning from 0 with the\n  first required test\n\n- `passedTests` enumerates which tests have succeeded, beginning from 0 with\n  the first required test\n\n- `requiredTestErrors` is an array containing the error messages of required\n  tests that have failed.\n\n- `optionalTestErrors` is an array containing the error messages of optional\n  tests that have failed.\n\n- `isPassphrase` is a `boolean` indicating whether or not the password was\n  considered to be a passphrase.\n\n- `strong` is a `boolean` indicating whether or not the user's password\n  satisfied the strength requirements.\n\n- `optionalTestsPassed` is a `number` indicating how many of the optional tests\n  were passed. In order for the password to be considered \"strong\", it (by\n  default) must either be a passphrase, or must pass a number of optional tests\n  that is equal to or greater than `configs.minOptionalTestsToPass`.\n\n\nConfiguring\n-----------\nThe module may be configured as follows:\n\n\n```javascript\nvar owasp = require('owasp-password-strength-test');\n\n// Pass a hash of settings to the `config` method. The settings shown here are\n// the defaults.\nowasp.config({\n  allowPassphrases       : true,\n  maxLength              : 128,\n  minLength              : 10,\n  minPhraseLength        : 20,\n  minOptionalTestsToPass : 4,\n});\n```\n\nWhereby:\n\n- `allowPassphrases` is a `boolean` that toggles the \"passphrase\" mechanism on\n  and off. If set to `false`, the strength-checker will abandon the notion of\n  \"passphrases\", and will subject all passwords to the same complexity\n  requirements.\n\n- `maxLength` is a constraint on a password's maximum length.\n\n- `minLength` is a constraint on a password's minimum length.\n\n- `minPhraseLength` is the minimum length a password needs to achieve in order\n  to be considered a \"passphrase\" (and thus exempted from the optional\n  complexity tests by default).\n\n- `minOptionalTestsToPass` is the minimum number of optional tests that a\n  password must pass in order to be considered \"strong\". By default (per the\n  OWASP guidelines), four optional complexity tests are made, and a password\n  must pass at least three of them in order to be considered \"strong\". \n\n\nExtending\n---------\nIf you would like to filter passwords through additional tests beyond the\ndefault, you may simply push new tests onto the appropriate arrays within the\nmodule's `test` object:\n\n```javascript\nvar owasp = require('owasp-password-strength-test');\n\n// push \"required\" tests onto `tests.required` array, and push \"optional\" tests\n// onto the `tests.optional` array.\nowasp.tests.required.push(function(password) {\n  if (password === 'one two three four five') {\n    return \"That's the kind of thing an idiot would have on his luggage!\";\n  }\n});\n```\n\nTest functions must resemble the following:\n\n```javascript\n// accept the password as the single argument\nfunction(password) {\n\n  // the \"if\" conditional should evaluate to `true` if the password is bad\n  if (thePasswordIsBad) {\n\n    // On password failure, a string should be returned. It will be pushed\n    // onto an array of errors associated with the password.\n    return \"This is the failure message associated with the test\";\n  }\n\n  // if the password is OK, nothing should be returned\n}\n\n```\n\n\nTesting\n-------\nTo run the module's test suite, `cd` into its directory and run `npm test`. You\nmay first need to run `npm install` to install the required development\ndependencies. (These dependencies are **not** required in a production\nenvironment, and facilitate only unit testing.)\n\n\nContributing\n------------\nIf you would like to contribute code, please fork this repository, make your\nchanges, and then submit a pull-request.\n\n[guidelines]: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls\n[xkcd]: http://xkcd.com/936/ \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnowsecure%2Fowasp-password-strength-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnowsecure%2Fowasp-password-strength-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnowsecure%2Fowasp-password-strength-test/lists"}