CODEWITHSUNDEEP
iphoneiosobjective-csecuritypasswords
capikaw
capikaw

Reputation: 12946

iOS Password Strength Checker

Looking for suggestions on a password strength checker for objective-c. I did some googling and didn't find any hits, neither here on SO. I could write one up but thought I'd check here first - has anyone implemented one?

Upvotes: 8

Views: 6244

Answers (3)

Dylan Hand
Dylan Hand

Reputation: 1400

Mattt Thompson created a library for this (see this answer). It's the best option I've found.

https://github.com/mattt/Navajo

Upvotes: 1

Ruben
Ruben

Reputation: 290

I have created a method for this purpose. I know this is old question, but I think it actual for now to, so here is the url of code:

https://github.com/ruben-samsonyan/PasswordStrengthChecker/blob/master/passwordChecker.m

Upvotes: 2

tc.
tc.

Reputation: 33592

I am only aware of two half-decent password strength estimators: zxcvbn (in CoffeeScript, compiles to JavaScript) and Passfault (in Java, appears to be intended as a webapp).

(Actually, that's is a slight lie; there was one in a PhD thesis I read a while back, but I'm not sure where I put the link.)

Every other password "strength" checker I've looked at in any detail has been flawed, often deeply flawed (e.g. GRC's "haystacks" assumes a very dumb bruteforce; even open-source password crackers are much more sophisticated) — the other day, the password strength meter of a large UK loyalty card scheme told me that "1Aa" was a "GOOD" password ("GOOD" is the highest rating).

(The other problem is that the password strength required depends on how it's being used: a 48-bit password like "W1mCj6B1" is fine for a Google account but incredibly weak as a Windows/Mac login password or a WPA passphrase.)

I don't think you're likely to find a decent one in Objective-C, given their rarity. If you do end up writing one, I have a few suggestions:

  • Write it in C (or maybe C++). This won't cost you much and will be far more portable; Objective-C pretty much ties you to OS X and iOS in the same way that .NET ties you to Windows (i.e. in theory you can port the runtime to other platforms; in practice it will be much less used outside of those platforms). To increase usage, you could add an Objective-C API.
  • Decide what to do about non-ASCII characters (and non-English languages in general). There are essentially two options:
    • Disallow them (people are used to it, right?)
    • Map to ASCII for strength estimation, e.g. by stripping accents (see NSWidthInsensitiveSearch and NSDiacriticInsensitiveSearch) and jumping through some hoops to map ı/İ/ß to i/I/ss. There's also kCFStringTransformToLatin which promises to transliterate most scripts to the Latin alphabet. This bit doesn't need to be in C because it'll heavily depend on Unicode libraries, although you may be able to use ICU.

Finally, password strength estimation is a hard problem. Guess the strength of 2jmj7l5rSw0yVb_vlWAYkK_YBwk. Now ask Google.

Upvotes: 7

Related Questions