Password Strength Checker for mootools
JavaScript CSS HTML
Latest commit e1cf907 Aug 14, 2015 @DimitarChristoff updated study url


A basic plugin that can do scoring of password strength as a user types within an input field.


See it live in action on this jsfiddle here or this one.

endorse Build Status

How to use

Get MooTools (1.4.5+, ideally 1.5.1). No mootools-more required. Have a password field and some CSS.

    <input type="password" id="foo" />
    div.pass-container {
        height: 30px;

    div.pass-bar {
        height: 11px;
        margin-top: 2px;
    div.pass-hint {
        font-family: arial;
        font-size: 11px;

Create your instance

    new StrongPass("foo", {
        onReady: function() {
            console.log('you can begin typing');
        onPass: function(score, verdict) {
            console.log('pass', score, verdict)
        onFail: function(score, verdict) {
            console.log('fail', score, verdict);
        onBanned: function(word) {
            console.warn(word, 'is not allowed as it is on the bannedPasswords list');

Alternatively, you can just use it as a tool to check and feed back scores without output - so you can script your own via the events instead.

    var indicator = document.getElement('span.pwStrengthResult'),
        colourIndicate = function(level, label) {
                html: label,
                styles: {
                    color: this.options.colors[level] || this.options.colors.getLast()

    new StrongPass('foo', {
        bannedPass: 'Very weak (too common)',
        verdicts: [
            'Too Short',
        colors: [
        // tweak scores here
        scores: [
        render: false,
        onPass: function() {
            colourIndicate.apply(this, arguments);
        onFail: function() {
            colourIndicate.apply(this, arguments);

How it works

A series of tests and definitions dictate the total scoring of the string in the input (or an arbitrary string) as a password. Certain logic is applied to do with best practices that helps in the scoring. In terms of configuration of how lax the plugin is, you can use several things.

  • options - can set scores as ranges that map to verdicts. In the example above, anything scoring below 10 will be deemed Too short, between 10 and 30 - Weak and so forth. By upping these values, you can make it more demanding - or less demanding, dependent on what your users are like.
  • length - there are some extra bonuses added for each extra character over the minimum length as the longer a password is, the more time it will take to brute force. The values added here are somewhat arbitrary but you can edit the checkPassword method and set your own values.
  • regex scoring - the class has a static array of simple objects that looks like this:
    checks: [
        /* alphaLower */ {
            re: /[a-z]/,
            score: 1
        /* alphaUpper */ {
            re: /[A-Z]/,
            score: 5
        /* mixture of upper and lowercase */ {
            re: /([a-z].*[A-Z])|([A-Z].*[a-z])/,
            score: 2
        /* threeNumbers */ {
            re: /(.*[0-9].*[0-9].*[0-9])/,
            score: 7
        /* special chars */ {
            re: /.[!@#$%^&*?_~]/,
            score: 5
        /* multiple special chars */ {
            re: /(.*[!@#$%^&*?_~].*[!@#$%^&*?_~])/,
            score: 7
        /* all together now, does it look nice? */ {
            re: /([a-zA-Z0-9].*[!@#$%^&*?_~])|([!@#$%^&*?_~].*[a-zA-Z0-9])/,
            score: 3
        /* password of a single repeated char sucks */ {
            re: /(.)\1+$/,
            score: 2

You can add / push to this array to add further changes or you can edit the regex or the scoring applied. A score can also be negative. For instance, we add 2 bonus points if the password has more than 1 letter so it's not just something like aaaaaa to make it pass. This is a 'positive' score that awards variety but you can easily reverse the check and the result of the regex to a penalising one by doing:

/* password of a single char sucks A LOT */ {
    re: /^(.)\1+$/,
    score: -20


Via Buster.js, go to test/index.html to run.

You can also test via node and Grunt. To install buster:

$ npm install -g buster phantomjs

To install locally:

$ npm install

To test, either of these works (via PhantomJS):

$ npm test
$ grunt

To start in capture mode for multiple browsers:

$ buster-server &

Once you have captured your target browsers, just run:

$ open http://localhost:1111/capture
$ buster-test -r specification

Using under AMD

You can now just use RequireJS or Almond or similar to load the Class:

    require(['js/StrongPass'], function(StrongPass){
        new StrongPass({});

    // or mixin / extend and do your own
    define(['js/StrongPass'], function(StrongPass){
        return new Class({
            Extends: StrongPass,

If an AMD compatible define is found, it will be preferred to global object.


Licensed under the MIT License. You are not allowed to use for evil