passbits, the most accurate password strength checker

How current checkers lose

Telling crackers which passwords to ignore
Trying to beat the crackers at making substitution templates
Having tons of edge cases that compromise their reliability

An innovative approach

passbits uses the statistics crackers wish they could use, but can't
It automatically finds common password-munging patterns, with no templates or edge cases
You can trim the model to the desired size, keeping the all most important parts

Better security, better UX

Your users will have passwords with better security
Users have a better experience creating passwords
Your password form meets your security & network latency requirements

How to lose by design

Existing password strength checkers give all the advantage to the crackers.

Rules-based checkers tell the crackers exactly which candidate passwords they can ignore.

Template-based checkers fight the crackers on the crackers' territory, instead of picking one that's advantageous to the good guys. It's an arms race we won't win.

Rules-based checkers are the most common. They're the ones that test whether a password satisfies an unvarying list of rules. For example:

8 or more characters
At least one lowercase letter
At least one uppercase letter
At least one symbol

While well-intended, rules-based checkers still allow weak passwords, and can reject very strong passwords.

Worse, such rules are known to not significantly increase password strength. Most people adjust their password in predictable ways, and the site's rules tell crackers which passwords they don't have to check, making their job easier.

Template-based checkers are more advanced. They rely on word lists and templates that define ways that people are known to adjust passwords to satisfy rules.

For example, a common template would be to capitalize the first letter of a word. Another would be to append a number or symbol. So, a candidate of password would be transformed into candidates of Password, Password1, Password!, and so on.

A template-based checker relies on a human to determine what those substitution templates are and guess at how much entropy each is worth.

This is just an arms race with the crackers, and one which history shows they will win.

Picking a better battlefield

Password crackers would love to generate password candidates in order from most likely to least, but they can't.

The best way to characterize how likely a password is, is with a Markov model. But, generating candidates from a Markov model, in order, would require infinite scratch space. This is exactly why crackers use templates in preference to Markov models.

However, we don't need to generate passwords in entropy order, we only need to measure entropy for a given password. A Markov model is perfect for that!

Using a Markov model lets us use the statistics that crackers wish they could use, but can't. It allows passbits to learn all the most likely (and less likely) substitutions and human tendencies without needing a developer to come up with a list of templates and guess at their likelihoods.

Markov models can include an arbitrary level of precision, but at the cost of size.

passbits keeps the model from getting arbitrarily large by pruning the least-informative states and transitions, down to the size you want.

This lets it encode the most important information from a giant wordlist, without the network cost of transferring that giant wordlist. Even with a trimmed model, passbits can give more accurate measures for words, names, etc., because they still follow linguistically-common patterns.

Use the passbits library

passbits is a library available in Javascript, Python, and possibly other languages.

You can host it on your own infrastructure, with no need to trust any 3rd party with your users passwords.

The Javascript version also supports running in client browsers.