View on GitHub

Mellt

A brute force password checker that returns a meaningful number describing the real world strength of your password

Download this project as a .zip file Download this project as a tar.gz file

Description

Mellt tests the strength of a password by calculating how long it would take to brute force it. Unlike most password strength checkers that just require one of each lowercase/uppercase/number/special char/at least 6 characters/etc, Mellt approaches the problem the same way a password cracker would, and returns a meaningful number you can use in determining the strength of a password.

Try it out

Enter your password:

This form uses the Javascript version of Mellt. No data is collected, and nothing leaves your computer. If you're extra paranoid (excellent) you can download the code, examine it, and run it on your own computer.

Usage

PHP

include('Mellt.class.php');
$mellt = new Mellt();
$daysToCrack = $mellt->CheckPassword('my password');

Javascript

<script src="Mellt.js"></script>
<!-- Make sure common-passwords.js is included AFTER Mellt.js -->
<script src="common-passwords.js"></script>
<script>
var mellt = new Mellt();
var daysToCrack = mellt.CheckPassword('my password');
</script>

nodejs

var mellt = require("./lib/Mellt");
var daysToCrack = mellt.CheckPassword('my password');

Tips for passing Mellt

There are a couple easy things you can do to quickly increase the strength of your passwords in a way that Mellt recognizes.

Security Q&A

Q: Those wacky crackers can see Mellt's code! They'll just use that to simplify their brute force attacks (eg: reversing the character sets)!

A: The benefit to the attacker of seeing the source to Mellt is negligible. No user is going to think to them self "I can save one character if I use z's instead of a's". Their favorite password will be banned because it's too weak and they'll pick something stronger (vs just adding a $ to the end) - that's the purpose of these scripts.

Q: You include the top 10,000 common passwords, won't people (and crackers) just use the 10,001st most common?

A: No, people don't work that way - they don't move down the list trying each one in turn. The purpose of banning the most common passwords is to prevent people from being lazy and using "password". Once you prevent that, you force them to be a little more creative and come up with something better.

Q: "pass123$" isn't on the common list, but it's a terrible password! You should ban it!

A: No, if it's not on the list of 10,000 most common, it's probably not that common. And the attacker doesn't know that it's a bad password when s/he starts trying to break it, so they need to try all the combinations to get there. "pass123$" is not a good password, but it's not "12345" bad. It's up to you as the developer implementing Mellt to decide the level of security you want to enforce. "pass123$" takes about 2 days via brute force, so set your limit to be higher than that if you don't want it allowed.

Q: Why do I need this tool? I'm hashing my passwords / preventing multiple attempts per second / etc...

A: Mellt is assuming the attacker has your database of passwords. Of course you need to be hashing them (please tell me you're not using MD5) but even with a properly salted+hashed password table it can be brute forced pretty quickly if the passwords are weak. Mellt is just another piece of the pie in making the attacker's life more difficult.

Credits

Much of the logic / concept behind Mellt is based on the description of the TGP Password Strength Checker by Timothy "Thor" Mullen.

The included common-passwords.txt contains the 10,000 most common passwords from Mark Burnett's excellent password collection.

The PHP and Javascript implementations were developed by ravisorg.

The Node.js implementation was developed by SeanJA.

License

Mellt is licensed under the Modified BSD License (aka the 3 Clause BSD). Basically you can use it for any purpose, including commercial, so long as you leave the copyright notice intact and don't use my name or the names of any other contributors to promote products derived from Mellt.

Copyright (c) 2012, ravisorg
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
    * Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
    * Neither the name of the Travis Richardson nor the names of its 
      contributors may be used to endorse or promote products derived 
      from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL TRAVIS RICHARDSON BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.