A Java library for validating passwords against NIST SP-800-63B requirements.
Clone or download
Latest commit 0640551 Sep 30, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Capture JUnit test results. Sep 27, 2018
src Remove Jetbrains annotations. Sep 27, 2018
.gitignore Initial commit. Apr 20, 2017
CHANGELOG.md Update readme and changelog. Sep 27, 2018
LICENSE Upgrade common-pom and fix license. Jun 26, 2018
README.md Update readme and changelog. Sep 27, 2018
pom.xml Upgrade common-pom. Sep 30, 2018
spotbugs.xml Fix Spotbugs false positive under Java 11. Sep 27, 2018




A Java library for validating passwords against NIST SP-800-63B requirements.

Add to your project


Note: module name for Java 9+ is com.codahale.passpol.

Use the thing

import com.codahale.passpol.BreachDatabase;
import com.codahale.passpol.PasswordPolicy;

class Example {
  void doIt() {
    final PasswordPolicy policy = new PasswordPolicy(BreachDatabase.haveIBeenPwned(5), 8, 64);
    // validate good passwords
    System.out.println(policy.check("this is a good, long password")); 
    // validate bad passwords
    // convert a unicode password to a normalized byte array suitable for hashing
    final byte[] bytes = PasswordPolicy.normalize("✊🏻 unicode 🔥 password");

How it works

PasswordPolicy checks passwords for minimum and maximum length (i.e. the number of Unicode codepoints in the string) and can check a set of breach databases to see if the password has been made public.

The built-in breach databases include an offline list of 100,000 weak passwords from Carey Li's NBP project and an online client for checking passwords against Have I Been Pwned?'s collection of breached passwords.

PasswordPolicy also provides the means to normalize Unicode passwords into a canonical byte array representation suitable for inputting into a password hashing algorithm like bcrypt.


Copyright © 2017-2018 Coda Hale

Distributed under the Apache License 2.0.