Installations
npm install @zxcvbn-ts/language-commonReleases
Unable to fetch releases
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
Typescript Support
Yes
Node Version
18.16.1
NPM Version
lerna/7.3.0/node@v18.16.1+arm64 (darwin)
Statistics
921 Stars
835 Commits
74 Forks
7 Watching
6 Branches
66 Contributors
Updated on 27 Nov 2024
Languages
TypeScript (98.1%)
JavaScript (1.9%)
Total Downloads
Cumulative downloads
Total Downloads
10,290,975
Last day
0.1%
27,119
Compared to previous day
Last week
8.1%
148,912
Compared to previous week
Last month
13.9%
595,377
Compared to previous month
Last year
68.6%
5,523,521
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
zxcvbn-ts
This is a complete rewrite of zxcvbn into typescript which is licensed under the MIT license. Thanks to the original creators dropbox for the great work.
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 40k common passwords, common names surnames, popular words from Wikipedia and common word in different language from different countries, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
- More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
- More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
- More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords. For further detail and motivation, please refer to the USENIX Security '16 paper and presentation.
The reason of this project is to modernize zxcvbn and make it maintainable with new features.
Features
- estimate strength of a password
- get a score for the password
- i18n support, for dictionaries and feedback translations
- extend existing dictionaries with your own
- usable without dictionaries at all, which reduce the scoring efficiency rapidly. This is not recommended
- types
- custom matcher
- haveibeenpwned matcher
Documentation
Checkout the Documentation. There you will also find the Demo pages and the Migration guide.
LanguagePackages
If your language is missing as a language pack checkout the guide to add your own.
Comparison
If you want to know how much the scoring changed compared to the original checkout the comparison page.
Contribution
Please feel free to open up an issue or provide a pull request.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
29 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Reason
Found 7/21 approved changesets -- score normalized to 3
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/build.js.yml:1
- Warn: no topLevel permission defined: .github/workflows/docs.js.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint.js.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.js.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.js.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/build.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.js.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/build.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.js.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/docs.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.js.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/docs.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.js.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/lint.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.js.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/lint.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.js.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/test.js.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.js.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/zxcvbn-ts/zxcvbn/test.js.yml/master?enable=pin
- Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 18 are checked with a SAST tool
Score
5.2
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More