November 23, 2013

Common password checker

There are a lot of standards out there for password quality, usually something like "at least 6 characters, with both upper and lower case and a digit or alphabetic character".

These are horrible rules. They mean that a password like "Passw0rd" is thought to be better than "Y1&j)" or "cork-bairn-meson-most-ago". However, it is not. Clever password crackers will, first thing, try a large dictionary of known passwords before they start iterating through strings brute-force, and it's only in the latter stage that using a longer password or a bunch of different character types helps.

So, if you want to get your users to choose passwords that are more likely to be secure, the most important thing is to reject the kinds of common passwords that are most likely to be guessed. Google actually tracks the passwords that crackers try to break into accounts with and notes these as "weak", regardless of how tricky they seem.

So, I built a thing: I took the 1,139,118 most-frequently-used passwords from a large password leak (from the social site RockYou in 2009) and built a password checker. This contains every password that was used 3 or more times across the 32 million leaked accounts. ("Passw0rd" was used 207 times.)

Enter a password below and discover if it's any good. The implementation uses a Bloom filter tuned for approximately 0.1% false positives, so there's one chance in a thousand that a password will show as "weak" when it's actually not on the list. The Bloom filter makes the data transfer smaller (2 MB) and allows very fast checking of candidate passwords agains the list. Nothing is sent back to a server: the checking is done in the browser.

Candidate password: not foundweak
Loading...

Of course, even if your password wasn't found, it still might be quite weak: large password dictionaries have a billion passwords to try before they start churning through every possible string. To generate a better password, you might want to try my password generator. If you're interested in using either to help make your site more secure, let me know, I'm happy to help.

Endianness in Javascript

I just needed to determine endianness from Javascript; this is needed because ArrayBuffer and associated classes operate directly upon memory buffers, which is great when you want to slurp in some binary data without the overhead of JSON-conversion, but does imply an endianness dependency.

I probably could have just ignored the question (at the expense of all my Alpha-powered users), but I'm OCD enough to write the check.

function littleEndian() {
  var buf = new ArrayBuffer(4);
  var bytes = new Uint8Array(buf);
  var words = new Uint32Array(buf);
  bytes[0] = 1;
  return words[0] == 1; // little-endian
}

But I can't test it.