I am doing a bit of preliminary investigation for my school (I work for the IT department as a student). The students here have to change their passwords every 6 months, and many of them struggle with the (many) password rules that are enforced. That is, they often have to make several attempts at setting a new password.

The rules are:

• Must be 8 characters or more in length
• Must contain 3 of 4 types of characters (capital, lowercase, number, special character)
• Must not contain the user's first, last or middle name
• Must not contain the user's username
• Must not match any password used before
• User must type password in twice, and typed passwords must match exactly

I have a few questions:

• Is it possible to create a web-based password checker that provides real-time feedback as the user types in their new password? I am imagining a checklist on one side of the web-page where green checkmarks are activated as the password meets more criteria.
• Is it possible to do perform this checking securely and entirely client-side?
• Where would one start on such a task? Is there a guide you can remend?

Please keep in mind that I am not a web developer. Also, please leave any witty ments like "change the password policy" or "they're just dumb users" out of here.

I am doing a bit of preliminary investigation for my school (I work for the IT department as a student). The students here have to change their passwords every 6 months, and many of them struggle with the (many) password rules that are enforced. That is, they often have to make several attempts at setting a new password.

The rules are:

• Must be 8 characters or more in length
• Must contain 3 of 4 types of characters (capital, lowercase, number, special character)
• Must not contain the user's first, last or middle name
• Must not contain the user's username
• Must not match any password used before
• User must type password in twice, and typed passwords must match exactly

I have a few questions:

• Is it possible to create a web-based password checker that provides real-time feedback as the user types in their new password? I am imagining a checklist on one side of the web-page where green checkmarks are activated as the password meets more criteria.
• Is it possible to do perform this checking securely and entirely client-side?
• Where would one start on such a task? Is there a guide you can remend?

Please keep in mind that I am not a web developer. Also, please leave any witty ments like "change the password policy" or "they're just dumb users" out of here.

• javascript
• ajax

Share Improve this question Follow edited May 12, 2011 at 15:19 Adam S asked May 12, 2011 at 14:48 Adam SAdam S 9,2551818 gold badges6969 silver badges104104 bronze badges 2

• 1 Capital and Uppercase are different types?! – Quentin Commented May 12, 2011 at 14:50
• I am certain it's possible, as I have seen it done on several sites - unfortunately I don't remember which... but at least you know it's possible! Good luck! – Eilidh Commented May 12, 2011 at 14:50

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 5

Is it possible to create a web-based password checker that provides real-time feedback as the user types in their new password? I am imagining a checklist on one side of the web-page where green checkmarks are activated as the password meets more criteria.

Yes.

Is it possible to do perform this checking securely

As the lights go green, it exposes information about where in a password the requirements are met. That will leak data about the password to anyone who can see the screen.

and entirely client-side?

Yes.

Where would one start on such a task?

A list of rules in the HTML document with a FAIL image next to each one. Programatic versions of the rules in JS. Then just test each rule in turn in a loop on each keypress event on the password input and swap PASS and FAIL images depending on if the rule is followed or not.

You'll need to hit the server with an XMLHttpRequest object to check if a password has been used before. Make sure you only store hashed and salted passwords there though.

Please keep in mind that I am not a web developer.

Then I remend you get one or bee one.

Also, please leave any witty ments like "change the password policy"

Fine, leaving the wit aside and sticking to the serious issue:

If people have problems ing up with passwords that conform to the policy, then they will have problems remembering them. This will lead to an increase in people having to have them reset (more work for the IT dept) and in people writing them down (which is probably going to be less secure then a password that is easier to guess / brute force).

Most of the rules you specify can be checked in real time using javascript, more specifically using regular expressions. Checking whether the password has been used before should be done on the server side to be secure.

Is it possible to create a web-based password checker that provides real-time feedback as the user types in their new password? I am imagining a checklist on one side of the web-page where green checkmarks are activated as the password meets more criteria.

Yes, but you will need to know some javascript to do it.

Is it possible to do perform this checking securely and entirely client-side?

No, and yes, or yes and no, but not both. You can do the check entirely client-side (except for checking against previous passwords, which would need database access). But nothing, NOTHING, on the client-side is ever secure. Anything you do on the client-side should be considered a help to the user. All validation must always be made again on the server.

I don't want to be a smart-ass and tell you to change the password policy, and doing so because validation would be "hard to do" would be a bad choice, but I would like to remend the following article to the one that has decided on the password policy: http://www.baekdal./tips/password-security-usability

• Must not match any password used before <--that one is the only one that has to be performed server side, but can be done securely using hashes or some form or encryption, because a client side copy of said passwords would not be a good thing.

Regexp's are probably where you'd wanna start. If you're unfamiliar with regexp's in web development, I'd suggest you start here: http://www.w3schools./jsref/jsref_obj_regexp.asp. If you truly have no experience in web development, I'd have to ask how you got stuck with a job where you'd have to learn a new language to acplish a relatively simple task. You'll definitely need to have an understanding of javascript to do something like this all client side. Oh, and I wouldn't remend testing

Must not match any password used before

It's too risky to do this in a simple way client side and plicated to do it securely without bringing in help from outside libraries, etc. Hope this helps and good luck!