nextcloud / strengthify Goto Github PK

View Code? Open in Web Editor NEW

49.0 8.0 19.0 324 KB

:lock::mag: Combine jQuery and zxcvbn to create a password strength meter

License: Other

CSS 8.19% JavaScript 63.45% HTML 28.36%

strengthify's Introduction

🔒🔍 strengthify

Combine jQuery and zxcvbn to create a password strength meter.

How to use

As of 0.5.0, the wrapper will be automatically added beneath the target input field

Add jquery (tested with 1.10.0), jquery.strengthify.js and strengthify.css to your document.

If using the message option, include bootstrap.

If using the titles option, include bootstrap's tooltip.js,

<script src="jquery-1.10.0.min.js"></script>
<script src="tooltip.js"></script>
<script src="jquery.strengthify.js"></script>
<link rel="stylesheet" href="bootstrap.min.css" type="text/css">
<link rel="stylesheet" href="strengthify.css" type="text/css">

Because zxcvbn is really heavyweight, it will be loaded asynchronously from zxcvbn/zxcvbn.js. This can however be configured with an optional parameter.

Then call .strengthify on the password input field.

$('#password-field').strengthify()

That's it. Now the password strength meter will be updated after each keystroke.

Configuration

The path and the title of the different strength categories can be configured with the first parameter of .strengthify.

userInputs: an array of strings that zxcvbn will treat as an extra dictionary
drawTitles: pop-up text (above)
drawMessage: detailed message beneath input
drawBars: password strength color progression bars beneath input
$addAfter: element after which the strengthify element should be inserted
nonce: a nonce that is added to the `<script>` tag to load the zxcvbn.js file asynchronously

Default:

{
  "zxcvbn": "zxcvbn/zxcvbn.js",
  "userInputs": [],
  "titles": [
    "Weakest",
    "Weak",
    "So-so",
    "Good",
    "Perfect"
  ],
  "drawTitles": false,
  "drawMessage": false,
  "drawBars": true,
  "$addAfter": null
}

Overwrite example:

$('#password-field').strengthify({zxcvbn: 'my/path/to/zxcvbn.js'})

Use 'onResult' callback option like:

$('#password-field').strengthify({
    zxcvbn: 'my/path/to/zxcvbn.js',
    onResult: function(result) {
        var submitBtn = $('input[type=submit]');
      
        if (result.score < 3) {
          submitBtn.prop('disabled', 'disabled');
        } else {
          submitBtn.prop('disabled', false);
        }
    }
})

Versions

0.5.9

Don't overdo the strength check, the first 100 chars are enough (#32)

0.5.8

wait for load of script before binding (#28)

0.5.7

add option for user input (#27)

0.5.6

set the nonce properly in all browsers (#24)

0.5.5

allow to specify a nonce for the loaded script (#23)

0.5.4

do not use `eval()` anymore (#19)

0.5.3

make possible to specify the element to add the strength bar after (#20)
provide minified version (#16)

0.5.2

use eval directly (#14)
added missing break (#13)

0.5.1

add tilesOptions (#10) - you can choose now between tooltip and element or both - thanks to @feirer

0.5.0

fairly substantial changes:

added feedback message
$.each(...) functionality
restructuring wrapping
feature flags

"strengthify-wrapper" added automatically beneath target input

0.4.1

hotfix for missing ;

0.4

syntax and performance cleanups

0.3

some fixes:

migrate from "display" to "opacity"
fix pasting to input field
add tipsy with strength

0.2

solve mimetype issues

0.1

Initial version

strengthify's People

Contributors

Stargazers

Watchers

Forkers

johnrees nlwillia eve-corp feirer wesamly enderlabs lukasreschke rullzer donnchac danxuliu nickepoch huguin65 alioso christophwurst welch3694 sinasalek ns-boudart mountainlandbot iq-scm

strengthify's Issues

version number in source is wrong

The version number in the jquery.strengthify.js file (line 5) is 0.5.2... that should be 0.5.3. Took a while to find out why my code wasn't executing the onResult function, while my version of the source matched the version on github :-)

Provide min version

Would be nice if also a minified version (and a map file) could be generated. I know the code isn't huge. But still.

missing break;

in jquery.strengthify.js
line 110
case 3:
css = 'password-good';
bsLevel = 'info';
message = "Getting better.";

missing closing break;

Many javascript errors ...

like missing semicolon which can cause issues in case the file is minified - refs owncloud/core#10327

NPM package?

Hi, thanks for the great tool.

Is there an NPM package available? I can't seem to find one.

Ability to customise messages

Is it possible to customise the message. The message 'Getting better. (4/4 required though)' is causing some cognitive confusion with users as they see the 4/4 and can't understand why their password isn't accepted. Our support desk is getting a number of calls

Tip: Make a demo page

Will be nicer if add demo page 👍
Try Github Pages.

Bower listing

Please add your package to bowers listing http://bower.io/docs/creating-packages/

Allow to provide CSP Nonce

Would be great if we could somehow pass in an CSP nonce so we can load this as well on strict CSP pages.

eval() call prevents script-src CSP

CSP is an extremely useful setting for securing websites. Currently strengthify cannot coexist with secure script configurations, as it uses eval() in strengthify.js on approximately line 200.

A quick fix is replacing:

            $.ajax({
                cache: true,
                url: options.zxcvbn
            }).done(function(content) {
                eval(content);
                $elem.bind('keyup input change', drawSelf);
            });

with:

            $elem.parent().on('scroll', drawSelf);
            $.getScript(options.zxcvbn);
            $elem.bind('keyup input change', drawSelf);

I'm unsure of any negative side effects of this, but I haven't noticed any, and CSP is now happy!