For full motivation, see:
The zxcvbn module has the public method PasswordStrength() function. Import zxcvbn, and call PasswordStrength(password string, userInputs string). The function will return a result dictionary with the following keys:
Entropy # bits
CrackTime # estimation of actual crack time, in seconds.
CrackTimeDisplay # same crack time, as a friendlier string: # “instant”, “6 minutes”, “centuries”, etc.
Score # [0,1,2,3,4] if crack time is less than # [10^2, 10^4, 10^6, 10^8, Infinity]. # (useful for implementing a strength bar.)
MatchSequence # the list of patterns that zxcvbn based the # entropy calculation on.
CalcTime # how long it took to calculate an answer, # in milliseconds. usually only a few ms.
The userInputs argument is an splice of strings that zxcvbn will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user’s personal info can be heavily penalized. This list is also good for site-specific vocabulary.
Bug reports and pull requests welcome!
Use zxcvbn_test.go to check how close to feature parity the project is.
Thanks to Dan Wheeler (https://github.com/lowe) for the CoffeeScript implementation (see above.) To repeat his outside acknowledgements (which remain useful, as always):
Many thanks to Mark Burnett for releasing his 10k top passwords list: http://xato.net/passwords/more-top-worst-passwords and for his 2006 book, “Perfect Passwords: Selection, Protection, Authentication”
Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists
Last but not least, big thanks to xkcd :) https://xkcd.com/936/