Learn coding concepts by building real projects with modern technologies

How To Correctly Validate Passwords - Most Websites Do It Wrong

By Lane Wagner on Oct 15, 2020

You’ve probably visited a site and attempted to sign-up only to be met with errors such as:

I just released a package in Go that solves this problem. Check it out and give it a star here: go-password-validator. If you want to understand how it works, and how to properly validate user passwords, read on.

Not only are the rules above quite annoying, but they can also be a security flaw in the system. Take for example a strong passphrase: super worm eaten human trike. That passphrase has plenty of entropy (randomness) but it wouldn’t pass the first two validation steps given above. XKCD puts this best:

XKCD passphrases - correct horse battery staple

The Problem - Allow Users to Use Any Password Format as Long as It Has Enough Entropy

We don’t care if a password only has lowercase letters if it’s long. All that matters is the entropy. Entropy in this context refers to the number of brute-force guesses it would take to guess a password, and we measure it in bits (the exponent in 2^n). Refer to the following chart to see how various entropy levels contribute to the time it takes to brute force a password.

Entropy scores measured in bits

Learn Go by writing Go code

I'm a senior engineer learning Go, and the pace of Boot.dev's Go Mastery courses has been perfect for me. The diverse community in Discord makes the weekly workshops a blast, and other members are quick to help out with detailed answers and explanations.

- Daniel Gerep from Cassia, Brasil

How To Determine Entropy Given a Password

The way go-password-validator works is my favorite (obviously, I wrote it), but there is certainly room for improvement. Let’s take a look at the process. From its Readme:

First, we determine the “base” number. The base is a sum of the different “character sets” found in the password.

The current character sets include:

Using at least one character from each set your base number will be 94: 26+26+10+32 = 94

Every unique character that doesn’t match one of those sets will add 1 to the base.

If you only use, for example, lowercase letters and numbers, your base will be 36: 26+10 = 36.

After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: base^length

A password using base 26 with 7 characters would require 26^7, or 8031810176 guesses.

Once we know the number of guesses it would take, we can calculate the actual entropy in bits using log2(guesses)

Learn to code by building real projects

Related Reading