Password strength checking library

JavaPasswords

Java Problem Overview

Can anyone recommend a Java library that contains methods that are suitable for performing server-side password strength checking in a webapp. Ideally the checker should be:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on
  • extensible allowing new criteria to be implemented if required
  • implemented in pure Java
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality
  • compatible with a GPL 3 project
  • compatible with Spring wiring
  • mavenized (ideally available through Maven Central)

Java Solutions

Solution 1 - Java

Have a look at vt-password:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on - Partially (yes to configurable, dictionaries, no to weighted criteria)
  • extensible allowing new criteria to be implemented if required - Yes
  • implemented in pure Java - Yes (and decent javadoc)
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality - Yes
  • compatible with a GPL 3 project - Yes (LGPLv3/APLv2 dual-licensed as of November 2013)
  • compatible with Spring wiring - Looks like
  • mavenized (ideally available through Maven Central) - Yes (in central since version 3.0)

Update by @Stephen C.

The guys who do vt-password have made a number of API improvements since the question was originally answered, and one of the outcomes is that the classes are much easier to configure using Spring IoC. They have also uploaded it to Maven Central: http://mvnrepository.com/artifact/edu.vt.middleware/vt-password

Update 2020: vt-password has been replaced, sort of, by Passay

Solution 2 - Java

This is a followup answer to say that I did use vt-password, and I'm happy with the results.

I started out with vt-password version 2.0 and hacked it around a bit to get it to work with Spring wiring, and address the thread safety issues I alluded to in my comments on @Pascal's answer. That was enough to get on with.

A few weeks back, the vt-middleware team released vt-password 3.0, based (in small part) on my feedback concerning 2.0. This new release addressed all of the issues I had hacked around, and I have now ditched my local mods and am using vt-password 3.0 as is. They have also uploaded their stuff to Maven Central, and improved the online documentation.

Categories
Recommended Java Solutions
Recommended Passwords Solutions

Previous Solution:

Where exactly the Singleton Pattern is used in real application?

JavaSingleton

Next Solution:

Python: No csv.close()?

PythonCsv

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionStephen CView Question on Stackoverflow
Solution 1 - JavaPascal ThiventView Answer on Stackoverflow
Solution 2 - JavaStephen CView Answer on Stackoverflow