Bite-sized screencasts for React
and frontend developers

Build a password strength checker with zxcvbn and React

posted on: 06-jan-2018

Hello and Wellcome ! In this episode we are gone to tackle a very common problem. How to set secure passwords for your users. One interesting library I've discovered these days is ZXCVBN and is made by the guys from Dropbox.

These examples are created by using create-react-app. You can check here a short guide on how to setup your machine to run the code samples.

In case you are wondering how they came up with such an, let's say, interesting name, it's the sequence made of these keys. And yes, a lot of users are setting this as a password.

Coming back, this library provides a fast way to evaluate how secure a password is.

It does not only checks for general security patterns like a minimum length or a specific number of alpha numeric characters, but also more advanced stuff like not using default words from the standard dictionary or common used passwords.

In the the starting files for this project, after the standard npm install, I will run install zxcvbn and add the dash save flag at then end. After the installation is done I can write npm start and we are good to go.

Wen we run the initial app we will see this input. I know this should be declared of type password, but for now I will just leave it to text to be able to see what we type in here.

Keep in mind that this is a controlled react input, so here you can see the corresponding state declaration, and this onChange handler that just reads the password, does a console log and updates the state.

For example now if I start to write something we will see the output in the console.

Having the library installed at the previous step I can add the import statement for it. It is quite straightforward to use this library. First I will make a new constant called evaluation ,and next use this zxcvbn object and send the password.

Finally I will console log the evaluation and delete the former console log the password.

Let's get a look at the result. If I type test as a password I will get this output. In this object we have all kinds of information. For example in the feedback we get a list of suggestions of what we can do to make our passwords more secure.

Also here we will see some statistics about how long it will take for this test password to be cracked using some different approaches.

And maybe the most important metric, is this score. This is a value ranging from 0 to 4, and is telling us the overall security level of our password.

Whit this in mind I will go and add in to the state, the score from the evaluation and the suggestions from the feedback.

We will need to show them into the view, so next I will use a destructor to retrieve the score and the suggestions from the state.

The score will be displayed here ... and will also add this unordered list as the container for the suggestions.

The suggestions are an array, so here I will take the suggestions and apply a map. The map will be manipulated by this arrow function, that will return a li element with a suggestion.

If we save this error will pop. This is happening because in here we are trying to access the suggestions but we don't have a default value for it on the state. To fix it I will initialize the suggestions to an empty array.

Finally we will also need to add in here that ... the key equals index, in order to avoid the famous React warning "each child should have a unique key". And with this we should be good to go.

For example , in here, if I type test as a password ... of course I will get 0 as a security score. Test with a capital T will only bring us a new warning , capitalization not helping too much.

With some extra repeated characters we will increase the score, but it will also tell us not to repeat words or characters.

And finally if we go completely random we will increase the security level to 3 and 4. As we said, this library uses dictionaries to identifies common words.

But the cool stuff is that we can plug in our custom words. For example, let's say upon registration someone sets his username to jscraftdaniel25. This will get a nice security score of 4.

However this is not the best idea to have as a password, as is the same with the username. To deal with this case, I can add here a extra list of words not to be set as passwords.

And with this new setup if I try to set my password to be the same as the username I will get a score of 0.

Of course we can never build the unbreakable password, but with this extra layer of security we can definalty improve things.

If you have some questions let me know in the comments below. I'm Daniel, thanks for watching and see you the next time. Cheers!