Password Strength module provides realistic password strength measurement and server-side enforcement for Drupal sites using pattern-matching and entropy calculation. Almost any type of password can be allowed so long as the password proves to be of high enough entropy. For inspiration see the XKCD comic on password strength.
How it's different
Other password enforcement tools are simplistic: they work by checking passwords on explicit rules like character count and amount of varying character types (symbols, numbers, uppercase letters, etc). A string like “Password1” will prove acceptable to such systems but are obviously weak and easily brute-forced.
How it works
Instead of checking on strict rules, Password Strength classifies the expected brute-force time for the summed entropy of common underlying patterns in the password. Patterns that can be detected in passwords include:
- Words that are found in a dictionary of common words, common first and last names, or common passwords.
- Words that are found in the dictionary, but with common "1337" or "leet" substitutions, such as 4 or @ for a, and 5 for s.
- Common sequences of letters (abcde), numbers (12345), or characters spatially near each other on common keyboards (qwerty).
- Three or more of the same characters, such as "aaa" or "8888".
- Dates or years, such as "1921" or "19-11-1978."
Password Strength relies on the PHP library Zxcvbn-PHP for password complexity measurement. Use Composer Manager or XAutoload to include the library with Password Strength. See the README.txt for more information.
Comparison to other modules and previous versions
Password Strength was a Drupal 5 and 6 module by jrbeeman that was decommissioned and replaced by Password Policy. Password Policy provides a system for defining explicit requirements on passwords. Password Strength differs by allowing nearly any password so long as the patterns that comprise it sum to a high entropy.