{"id":23399583,"url":"https://github.com/sthenauth/zxcvbn-hs","last_synced_at":"2025-04-11T18:07:12.633Z","repository":{"id":39741764,"uuid":"207395842","full_name":"sthenauth/zxcvbn-hs","owner":"sthenauth","description":"Password strength estimation based on zxcvbn","archived":false,"fork":false,"pushed_at":"2024-02-08T18:14:25.000Z","size":3301,"stargazers_count":2,"open_issues_count":6,"forks_count":2,"subscribers_count":2,"default_branch":"trunk","last_synced_at":"2025-03-25T13:51:14.580Z","etag":null,"topics":["haskell","security","zxcvbn"],"latest_commit_sha":null,"homepage":"https://code.devalot.com/sthenauth/zxcvbn-hs","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sthenauth.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-09-09T20:12:15.000Z","updated_at":"2022-06-08T20:14:56.000Z","dependencies_parsed_at":"2022-08-20T22:31:02.176Z","dependency_job_id":"de98f237-3463-47b3-92dd-cf67fa60d5bf","html_url":"https://github.com/sthenauth/zxcvbn-hs","commit_stats":{"total_commits":69,"total_committers":3,"mean_commits":23.0,"dds":0.07246376811594202,"last_synced_commit":"2a17aa3b664fffd63cf51dddcb9905ecaf74fd5a"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sthenauth%2Fzxcvbn-hs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sthenauth%2Fzxcvbn-hs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sthenauth%2Fzxcvbn-hs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sthenauth%2Fzxcvbn-hs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sthenauth","download_url":"https://codeload.github.com/sthenauth/zxcvbn-hs/tar.gz/refs/heads/trunk","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248442527,"owners_count":21104202,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["haskell","security","zxcvbn"],"created_at":"2024-12-22T10:14:46.856Z","updated_at":"2025-04-11T18:07:12.601Z","avatar_url":"https://github.com/sthenauth.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Password Strength Estimation\n\n[![CI](https://github.com/sthenauth/zxcvbn-hs/workflows/CI/badge.svg)](https://github.com/sthenauth/zxcvbn-hs/actions)\n[![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/sthenauth/zxcvbn-hs?label=release)](https://github.com/pjones/zxcvbn-hs/releases)\n[![Hackage](https://img.shields.io/hackage/v/zxcvbn-hs)](https://hackage.haskell.org/package/zxcvbn-hs)\n\n## What?\n\nThis is a native Haskell implementation of the [zxcvbn][] password\nstrength estimation algorithm as it appears in the 2016 USENIX\nSecurity [paper and presentation][paper] (with some small\nmodifications).\n\n## Why?\n\nThe [zxcvbn][] algorithm is a major improvement over traditional\npassword strength estimators.  Instead of counting the occurrence of\nspecial characters, mixed case characters, numeric digits, etc.,\nzxcvbn analyzes a plain text password and estimates the number of\nguesses that an attacker would need to make in order to crack it.\n\n## How?\n\nA plain text password is broken into a list of substrings called\ntokens and each token is analyzed as follows:\n\n  * Membership in a password or word frequency dictionary\n\n  * Reversing the token and testing it against said dictionaries\n\n  * Decoding l33t speak and testing it against said dictionaries\n\n  * Determine if the token forms a pattern on a keyboard\n    (e.g., \"asdfgt\", \"poiuy\", \"aSw2@\", etc.)\n\n  * Compare the code points of the characters to see if they form a\n    sequence (e.g., \"13579\", \"abcde\", \"zyx\", etc.)\n\n  * Attempt to parse the token as a date with or without separators\n    (e.g., \"1013\", \"2011-01-01\", \"23/01/19\", \"012319\", etc.)\n\n  * Search for adjacent tokens that are identical (i.e. repeating\n    patterns)\n\nEach possible interpretation of a token is given an estimated number\nof guesses and then the entire password is scored based on the weakest\npath.\n\n## Usage\n\nA complete example can be found in the\n[example/Main.hs](example/Main.hs) file.  That said, it's pretty easy\nto use:\n\n```haskell\nimport Text.Password.Strength (score, strength, en_US)\nimport Data.Time.Clock (getCurrentTime, utctDay)\n\nmain = do\n  -- The date matcher needs to know the current year.\n  refDay \u003c- utctDay \u003c$\u003e getCurrentTime\n\n  let password = \"password1234567\"\n      guesses  = score en_US refDay password\n\n  print guesses -- Number of estimated guesses (18)\n  print (strength guesses) -- Sum type describing the password strength (Risky)\n```\n\n## Demo App\n\nIf you want to play with an interactive demo take a look at the\n[zxcvbn-ws repository][zxcvbn-ws].\n\n## Customization\n\nYou'll most likely want to add custom words to the frequency\ndictionaries.  For example, the name of your application, your domain\nname, and any personal information you have on the customer.  Doing so\nwill penalize the score of a password using such information.\n\nThe `Text.Password.Strength.Config` module defines the\n`addCustomFrequencyList` function which can be used to easily add\nwords to the frequency dictionary.\n\n### Localization\n\nUnlike other implementations of the [zxcvbn][] algorithm, this version\nfully supports localization.  It's easy to augment or completely\nreplace the frequency dictionaries and keyboard layouts.  Tools are\nprovided to compile simple text files into the data types required by\nthis library.\n\nHowever, like the other implementations, the default configuration is\nheavily biased towards United States English, hence its name: `en_US`.\n\nIncluded in the default configuration are:\n\n  * 30,000 most frequently used passwords according to [Mark Burnett][]\n\n  * 30,000 most frequently used words in US movies and television shows\n\n  * 30,000 most frequently used words in Wikipedia English articles\n\n  * Top 10,000 surnames\n\n  * Top 4,275 female names\n\n  * Top 1,219 male names\n\n  * QWERTY keyboard layout\n\n  * Number pad keyboard layout\n\n### Existing Localization Packages\n\n  * [zxcvbn-dvorak][] Dvorak keyboard layout\n\n## Performance\n\nIt takes approximately 1.5 ms to process a 30-character password.\nPerformance degrades as the length of the password increases (e.g., a\n60-character password clocks in at 13.54 ms).\n\nYou probably want to limit the number of characters you send through\nthe `score` function using something like `Text.take 100` in order to\nprevent a malicious user from slowing down your application.\n\nMost of the time is currently spent in decoding and testing l33t\nspeak.  If you want to work on improving the performance I suggestion\nyou generate a profile using the benchmark tool.\n\n[Mark Burnett]: https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495?gi=d98e0d16566b\n[paper]: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler\n[zxcvbn-dvorak]:https://code.devalot.com/sthenauth/zxcvbn-dvorak\n[zxcvbn-ws]: https://code.devalot.com/sthenauth/zxcvbn-ws\n[zxcvbn]: https://github.com/dropbox/zxcvbn\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsthenauth%2Fzxcvbn-hs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsthenauth%2Fzxcvbn-hs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsthenauth%2Fzxcvbn-hs/lists"}