57

Can anyone recommend a Java library that contains methods that are suitable for performing server-side password strength checking in a webapp. Ideally the checker should be:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on
  • extensible allowing new criteria to be implemented if required
  • implemented in pure Java
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality
  • compatible with a GPL 3 project
  • compatible with Spring wiring
  • mavenized (ideally available through Maven Central)
Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • you might find this post usefule - http://stackoverflow.com/questions/75057/what-is-the-best-way-to-check-the-strength-of-a-password – Aravind Yarram Jul 08 '10 at 02:43
  • 1
    This could is simple but may be useful https://github.com/devewm/java-pwdstrength – Alireza Fattahi Jan 23 '16 at 13:49
  • Looking for the library, I found a [java port](https://github.com/nulab/zxcvbn4j) of JavaScript library [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/). It doesn't check rules but calculates password entropy taking into account the list of the popular passwords. It has no dependencies. It is in maven central. It has MIT license. – Maxim Mazin Jan 23 '16 at 20:19

2 Answers2

68

Have a look at vt-password:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on - Partially (yes to configurable, dictionaries, no to weighted criteria)
  • extensible allowing new criteria to be implemented if required - Yes
  • implemented in pure Java - Yes (and decent javadoc)
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality - Yes
  • compatible with a GPL 3 project - Yes (LGPLv3/APLv2 dual-licensed as of November 2013)
  • compatible with Spring wiring - Looks like
  • mavenized (ideally available through Maven Central) - Yes (in central since version 3.0)

Update by @Stephen C.

The guys who do vt-password have made a number of API improvements since the question was originally answered, and one of the outcomes is that the classes are much easier to configure using Spring IoC. They have also uploaded it to Maven Central: http://mvnrepository.com/artifact/edu.vt.middleware/vt-password

Update 2020: vt-password has been replaced, sort of, by Passay

Dan Pritts
  • 1,274
  • 16
  • 14
Pascal Thivent
  • 562,542
  • 136
  • 1,062
  • 1,124
  • 2
    While I do not care about this topic (right now), what a great answer. +1 – Dan Rosenstark Jul 08 '10 at 04:04
  • @Stephen: You're welcome. @Daniel: Thanks, glad you find it (potentially) helpful too. – Pascal Thivent Jul 08 '10 at 04:35
  • A couple of points: 1) The rules are configurable, but there is no direct support for configuring via XML or properties files. 2) The rule objects have mutable state (!?!) and are not thread-safe. 3) Some rules have API impediments to wiring via Spring IoC, and (more important) to copying rules. But I'm going to persevere anyway. – Stephen C Jul 08 '10 at 05:30
  • Sweet, thanks for sharing this. Just what I was looking for. – Tauren Feb 15 '11 at 03:40
  • Unfortunately `vt-password` doesn't fully support internationalisation. I discovered this after many hours of getting it all working with a custom Hibernate validator for a password field in an entity. For example, here's a message string with two variables: INSUFFICIENT_CHARACTERS=Password must contain at least %1$s %2$s characters. This message string can be overridden by supplying the path to a custom properties file, but the problem is that the second variable contains english words such as the word 'uppercase'! – mwarren Aug 23 '12 at 21:30
  • 2
    Note that vt-password is now (sort of) [Passay](http://www.passay.org/) – elhefe Feb 03 '17 at 22:35
10

This is a followup answer to say that I did use vt-password, and I'm happy with the results.

I started out with vt-password version 2.0 and hacked it around a bit to get it to work with Spring wiring, and address the thread safety issues I alluded to in my comments on @Pascal's answer. That was enough to get on with.

A few weeks back, the vt-middleware team released vt-password 3.0, based (in small part) on my feedback concerning 2.0. This new release addressed all of the issues I had hacked around, and I have now ditched my local mods and am using vt-password 3.0 as is. They have also uploaded their stuff to Maven Central, and improved the online documentation.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 1
    how did you manage to use vt-password to calculate password strengths? I don't see anything that would allow you to weight different criteria or get back a "strength" measurement during validation. Or did you drop this requirement? I'm thinking I could run the validation multiple times with different values for the rules and somehow come up with a strength, but that sure seems overkill. – Tauren Feb 15 '11 at 03:43
  • 1
    @Tauren - in fact I dropped this requirement. – Stephen C Feb 15 '11 at 04:19
  • Oh well, I was hoping you found a simple solution. I've dropped this requirement as well. Maybe I'll address password strength in the future. – Tauren Feb 15 '11 at 07:30