This was a request by someone and as the title says it's meant to make show how hard is a password to brute-force. It takes into account character diversity, repetition, succession and size to generate a strength score.
But what do I mean by that? Well, this is what I mean:
- diversity: Is meant to award passwords that contain lowercase and uppercase letters as well as digits and symbols. More diversity means a greater score. Examples:
- h%s4(k&^s yields a score of 45 (the following, even though not as diverse as this one, are awarded by the size and succession checks)
- s62h356fs yields a score of 36
- 374652942 yields a score of 32
- ajshwfown yields a score of 41
- repetition: Is meant to punish passwords that have repeating characters. Examples:
- aabbccdde yields a score of 11
- aaaaaaaaa yields a score of -4
- 882222999 yields a score of 21
- %%%^&&&(( yields a score of 23
- succession: Is meant to punish passwords that contain successive characters. Examples:
- abcdefghi yields a score of 3
- 123456789 yields a score of 3
- !"#$%&() yields a score of 7
- abc123xyz yields a score of 22
As you can see, passwords that have a score greater than 10 are likely to be harder to brute-force. And those with scores greater than 20, 30, 40 are right there on the insane scale. Length also plays an important role.
What this doesn't check for, are dumb passwords like "passwords", "qwertyui", "asdfghj", "mypass". For these things, you must implement your own rainbow-table and do a manual check. There's only so much that a function like this can do.
Anyway, here's the snippet:
function PasswordStrength(p)
{
// Ignore empty or dumb passwords
if (!p || p.len() <= 1) return -999;
// Preallocate all variables upfront
local d = 0, u = 0, l = 0, s = 0, r = 0, a = array(0xFF, 0), t = p.len();
// Classify characters
foreach (c in p)
{
// Count repetition
if (++a[c] > 1) ++r;
// Count diversity
else if (c >= '0' && c <= '9') ++d;
else if (c >= 'A' && c <= 'Z') ++u;
else if (c >= 'a' && c <= 'z') ++l;
else if (c >= ' ' && c <= '/') ++s;
else if (c >= ':' && c <= '@') ++s;
else if (c >= '[' && c <= '`') ++s;
else if (c >= '{' && c <= '~') ++s;
}
// Score diversity
if (d > 0) t += d; else t -= 2;
if (u > 0) t += u; else t -= 2;
if (l > 0) t += l; else t -= 2;
if (s > 0) t += s; else t -= 2;
// Score repetition
if ((p.len() - r) < 3) t -= r; else t += p.len();
// Score succession
for (local i = 2, j = p[0], k = p[1], x = abs(k - j), o = (x == 1).tointeger(), n = p.len();
i < n;
j = k, k = p[i], ++i, x = abs(k - j), o += (x == 1).tointeger())
{
if (x == 1) {
if (o > 2) t -= 3;
else if (o > 1) t -= 2;
else if (o > 0) t -= 1;
} else if (x > 3) t += 3, o = 0;
else if (x > 2) t += 2, o = 0;
else if (x > 1) t += 1, o = 0;
}
// Return resulted score
return t;
}
NOTE: This is a dumb algorithm made on the fly. No books or guides were hurt in the process. Therefore, it may have weaknesses and is far from perfect. But it's something.
The only server I've seen with such a feature is
@Drake 's XE Server.
Great release! Maybe players will be influenced by the result of their pass strength, and make it harder to guess.
Cool feature, but in fact, it's just vc-mp, I use password 121212 or 123123 for almost all servers and I don't really care about my accounts there. I do not want to servers forcing me to storing normal password to just play there (storing - because I even not will try to remember it).
Quote from: vito on Apr 11, 2017, 05:28 AMCool feature, but in fact, it's just vc-mp, I use password 121212 or 123123 for almost all servers and I don't really care about my accounts there. I do not want to servers forcing me to storing normal password to just play there (storing - because I even not will try to remember it).
You say that because you play on servers where the database is dropped every few days when some magic thing happens and the dev either failed at migrating changes or didn't know how. So it was easier to start from scratch.
What I'm saying is that you're playing mostly on servers where a database is just a joke and not there to stay. Therefore, it would be useless to care about an account.
But if the situation were to be different. You'd care to not have your account broken. And you'd b!tch about it to the owner if that happened.
Either way. That's your choice and your problem. Not mine.
Quote from: happymint on Apr 11, 2017, 05:33 AMBut if the situation were to be different. You'd care to not have your account broken. And you'd b!tch about it to the owner if that happened.
Either way. That's your choice and your problem. Not mine.
Not really, if my account would be hacked there (it never was before) I will just create new one.
The promblem is everyone thinks his server is awesome and need to force players to use strong passwords (like XE for example). So I used random password for it and even not remeber it and now if I would want to play there I have to register new account.
Mainly it's a good feature as a tip for player if it allows to use simple passwords.
Quote from: vito on Apr 11, 2017, 05:51 AMMainly it's a good feature as a tip for player
Totally agree. This is why I used the word "influence".
Quote from: sseebbyy on Apr 10, 2017, 11:41 PMMaybe players will be influenced by the result of their pass strength, and make it harder to guess.
Players shouldn't be forced to write a harder password, but only be warned about how good/bad is their pass.