Password validation determined by password entropy
Validate passwords using entropy rather than arbitrary rules.
This is a PHP port of Lane Wagner's Go Password Validator
This project can be used to front a password strength meter, or simply validate password strength on the server. Benefits:
- No stupid rules (doesn't require uppercase, numbers, special characters, etc)
- Everything is based on entropy (raw cryptographic strength of the password)
- Inspired by this XKCD
What Entropy Value Should I Use?
It's up to you. That said, here is a pretty good graph that shows some timings for different values:
Somewhere in the 50-70 range seems "average"
Installation and Usage
Install the library with composer:
composer require garybell/password-validator
To use the functionality call any of the functions within the class using the password as a parameter. All functions are static, so don't need the PasswordValidator object creating prior to use.
// Get the base of the password (characters from different character sets used) $base = GaryBell\PasswordValidator::getBase($password); // get the length of the password (characters used (only allows 2 of any single character) $length = GaryBell\PasswordValidator::getLength($password); // get the entropy of the password $entropy = GaryBell\PasswordValidator::getEntropy($password);
getEntropy functionality has an optional parameter of
decimalPlaces, to determine the accuracy of the entropy.
This is 2 decimal places by default. To reduce this to 1 decimal place, use:
$entropy = GaryBell\PasswordValidator::getEntropy($password, 1);
Similarly, for 4 decimal places, use:
$entropy = GaryBell\PasswordValidator::getEntropy($password, 4);
Version 0.x and 1.x
How It Works
First, we determine the "base" number. The base is a sum of the different "character sets" found in the password.
The current character sets include:
- 26 lowercase letters
- 26 uppercase
- 10 digits
- 32 special characters -
Using at least one character from each set your base number will be 94:
26+26+10+32 = 94
Every unique character that doesn't match one of those sets will add
1 to the base.
If you only use, for example, lowercase letters and numbers, your base will be 36:
26+10 = 36.
After we have calculated a base, the total number of brute-force-guesses is found using the following formulae:
A password using base 26 with 7 characters would require
Once we know the number of guesses it would take, we can calculate the actual entropy in bits using