This crate was inspired by the CHBS Password Strength Checker, which itself was inspired by the go-password-validator. The difference to CHBS is that this crate is focussed on performance and minimal required memory allocation.
Many password checkers are wrong. It should not matter if a password must contain at least one upper, lower, digit and special character if it is long enough. What matters is the entropy of the password. The entropy refers to the number of brute-force guesses an attacker needs to crack the password. This will be measured in bits (the exponent n in 2^n). You can read more about it here: How To Correctly Validate Passwords.
To calculate the entropy, the CHBS Password Strength Checker and therefore this crate are removing palindromes, repeating characters and common sequences from the password before calculating the passwords entropy. All of these actions are only shrinking the size of the password. Therefore no additional memory is needed than exactly one local copy of the password. Everything is done in-place. If zeroing the local copy of the password is necessary, after the calculation is done, activate the feature zeroize.
How to use:
use pw_entropy::PasswordInfo;
let password = "ThisIsASecret";
let entropy = PasswordInfo::for_password(password).get_entropy();
println!("Bits: {}", entropy);
>>> Bits: 74.1057163358342The entropy of a password is calculated by log_2(base ^ length), where base is the amount of characters the password could contain.
The base is a sum of the following groups, if the password contains at least one character of the group:
- 26 lowercase letters
- 26 uppercase letters
- 10 digits
- 5 replacement characters (
!@$&*) - 5 separator characters (
_-.,) - 22 other special characters (
"#%'()+/:;<=>?[\]^{|}~)
Repeating characters like aaaaaaaaa will only count as one a. and the following common sequences will be entirely removed:
asdfjkl;;lkjfdsaasdfghjklasdf ;lkj0123456789qwertyuiopqwertyzxcvbnmabcdefghijklmnopqrstuvwxyzpassword1password!passwordPasswordasswordpicture1Picture1picturePictureasdfrty567senhaabc123Million20000001234iloveyouaaron431qqww1122123123
If the password is a palindrome like Lagerregal or abcdcba the password will be cut in half.
For example: The password Password? contains at least one character of the categories uppercase (26), lowercase (26) and digit (10). This sums up to a base of 26+26+10 = 62 and the length of the password is 9. The entropy of the password would normally be log_2(62 ^ 9) = 53.587766793481876 bits. But since Password is a common sequence, the sequence will be removed (only the question mark is left), so the actual entropy this crates calculates is only log_2(22 ^ 1) = 4.459431618637297 bits.
That depends. Take a look at this graphic to create an overview for yourself.