Password Strength Checker for mootools
JavaScript CSS HTML
Latest commit e1cf907 Aug 14, 2015 @DimitarChristoff updated study url
Failed to load latest commit information.
Source updated study url Aug 14, 2015
test fixed readme and versioning Oct 31, 2013
.gitignore fixed readme and versioning Oct 31, 2013
.jshintrc tests to grunt, bower.json, amd exports Oct 31, 2013
.travis.yml node to 0.10 Jun 29, 2015
Gruntfile.js tests to grunt, bower.json, amd exports Oct 31, 2013
bower.json tag change Jun 29, 2015
package.yml tag change Jun 29, 2015


A basic plugin that can do scoring of password strength as a user types within an input field.


See it live in action on this jsfiddle here or this one.

endorse Build Status

How to use

Get MooTools (1.4.5+, ideally 1.5.1). No mootools-more required. Have a password field and some CSS.

    <input type="password" id="foo" />
    div.pass-container {
        height: 30px;

    div.pass-bar {
        height: 11px;
        margin-top: 2px;
    div.pass-hint {
        font-family: arial;
        font-size: 11px;

Create your instance

    new StrongPass("foo", {
        onReady: function() {
            console.log('you can begin typing');
        onPass: function(score, verdict) {
            console.log('pass', score, verdict)
        onFail: function(score, verdict) {
            console.log('fail', score, verdict);
        onBanned: function(word) {
            console.warn(word, 'is not allowed as it is on the bannedPasswords list');

Alternatively, you can just use it as a tool to check and feed back scores without output - so you can script your own via the events instead.

    var indicator = document.getElement('span.pwStrengthResult'),
        colourIndicate = function(level, label) {
                html: label,
                styles: {
                    color: this.options.colors[level] || this.options.colors.getLast()

    new StrongPass('foo', {
        bannedPass: 'Very weak (too common)',
        verdicts: [
            'Too Short',
        colors: [
        // tweak scores here
        scores: [
        render: false,
        onPass: function() {
            colourIndicate.apply(this, arguments);
        onFail: function() {
            colourIndicate.apply(this, arguments);

How it works

A series of tests and definitions dictate the total scoring of the string in the input (or an arbitrary string) as a password. Certain logic is applied to do with best practices that helps in the scoring. In terms of configuration of how lax the plugin is, you can use several things.

  • options - can set scores as ranges that map to verdicts. In the example above, anything scoring below 10 will be deemed Too short, between 10 and 30 - Weak and so forth. By upping these values, you can make it more demanding - or less demanding, dependent on what your users are like.
  • length - there are some extra bonuses added for each extra character over the minimum length as the longer a password is, the more time it will take to brute force. The values added here are somewhat arbitrary but you can edit the checkPassword method and set your own values.
  • regex scoring - the class has a static array of simple objects that looks like this:
    checks: [
        /* alphaLower */ {
            re: /[a-z]/,
            score: 1
        /* alphaUpper */ {
            re: /[A-Z]/,
            score: 5
        /* mixture of upper and lowercase */ {
            re: /([a-z].*[A-Z])|([A-Z].*[a-z])/,
            score: 2
        /* threeNumbers */ {
            re: /(.*[0-9].*[0-9].*[0-9])/,
            score: 7
        /* special chars */ {
            re: /.[!@#$%^&*?_~]/,
            score: 5
        /* multiple special chars */ {
            re: /(.*[!@#$%^&*?_~].*[!@#$%^&*?_~])/,
            score: 7
        /* all together now, does it look nice? */ {
            re: /([a-zA-Z0-9].*[!@#$%^&*?_~])|([!@#$%^&*?_~].*[a-zA-Z0-9])/,
            score: 3
        /* password of a single repeated char sucks */ {
            re: /(.)\1+$/,
            score: 2

You can add / push to this array to add further changes or you can edit the regex or the scoring applied. A score can also be negative. For instance, we add 2 bonus points if the password has more than 1 letter so it's not just something like aaaaaa to make it pass. This is a 'positive' score that awards variety but you can easily reverse the check and the result of the regex to a penalising one by doing:

/* password of a single char sucks A LOT */ {
    re: /^(.)\1+$/,
    score: -20


Via Buster.js, go to test/index.html to run.

You can also test via node and Grunt. To install buster:

$ npm install -g buster phantomjs

To install locally:

$ npm install

To test, either of these works (via PhantomJS):

$ npm test
$ grunt

To start in capture mode for multiple browsers:

$ buster-server &

Once you have captured your target browsers, just run:

$ open http://localhost:1111/capture
$ buster-test -r specification

Using under AMD

You can now just use RequireJS or Almond or similar to load the Class:

    require(['js/StrongPass'], function(StrongPass){
        new StrongPass({});

    // or mixin / extend and do your own
    define(['js/StrongPass'], function(StrongPass){
        return new Class({
            Extends: StrongPass,

If an AMD compatible define is found, it will be preferred to global object.


Licensed under the MIT License. You are not allowed to use for evil