Checking A Password Strength

Tonight I wrote something pretty nifty in PHP, and pushed it out to the /dev/ section of Blabber. I’d like to show it, and even tell you how it’s done. 🙂

I wrote a script that checks the strength of a password. This strength is ranked by the consistency of letters and/or numbers, and the use of special characters in the password. It’s a pretty neat script, and it uses regex to calculate the strength.

Here is a link to the live, working version of the script: http://www.blabbernet.org/dev/pass_strength.php.

I used a function to make it easy to call to, as well:

function passStrength($string, $strength = 0) {
$expressions = array(
'#[a-z]#', // lower-case chars. from a-z
'#[A-Z]#', // upper-case chars. from A-Z
'#[0-9]#', // numbers from 0-9
'/[¬!"£$%^&*()`{}\[\]:@~;\'#?,.\/\\-=_+\|]/' // special characters
foreach($expressions as $arg) {
if( preg_match( $arg, $string, $find ) ) {
return $strength;

Now, if we’re going to make a full script that checks password information from a form, and prints out its strength, we’re going to want a function to format the strength outcome, since right now it would just print out a number from 1 to 4 (1 being weak, and 4 being strong).

function formatStrength($strength) {
if($strength == 1) {
return "weak";
} elseif($strength == 2) {
return "mediocre";
} elseif($strength == 3) {
return "good";
} elseif($strength == 4) {
return "strong";
} else {
return "not found";

From there, you should be able to figure out how to get this into your registration form or what not.

That’s all for now,
Keep on Blabbering

– Brad


10 Responses to “Checking A Password Strength”

  1. June 20, 2007 at 5:43 am

    so it checks for four distinct character types and assigns a strength depending on the number found. that sounds like a decent idea, it does however leave some potential oversights. ‘o0O?’ for instance could be brute forced in a very small amount of time. Perhaps asses the length of the password and incorporate it? Or just asses it separately.

    Nice idea though. The implementation makes me realize just how bad i am at the more advanced loops in php.

  2. June 20, 2007 at 5:44 am

    (the second ‘o’ is a zero. your typeface is confusing :])

  3. June 20, 2007 at 10:43 am

    Adam, when running that password (o0O) through the live demo I have online, the password gets ranked good. This is because the script checked for a combination of letters (which there are) in both lower-case and upper-case (which there are), numbers (which there are), and any special characters (which there aren’t; this caused it to stay at “good”).

    Of course, the strong passwords, like “sTr()nG1” would be very hard to brute force…


  4. 5 Matt
    June 20, 2007 at 12:28 pm

    lol, $expressions.

    a ha ha…….

  5. June 22, 2007 at 11:27 am

    the ‘?’ was included. hence all types were covered.
    to give an alternate but equal example:


    point being, a 4 character password is never ‘strong’.

  6. June 22, 2007 at 11:35 pm

    Yes, that’s true. Very good point.

  7. June 23, 2007 at 12:58 pm

    Sounds good but you should use AJAX. It can easily be done 😉

  8. June 23, 2007 at 2:06 pm

    Well, yes… any implementations to Blabber would be done with AJAX. Any other way would be inconvenient.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

June 2007
« May   Jul »

%d bloggers like this: