tags:

views:

131

answers:

2

Can anyone recommend a Java library that contains methods that are suitable for performing server-side password strength checking in a webapp. Ideally the checker should be:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on
  • extensible allowing new criteria to be implemented if required
  • implemented in pure Java
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality
  • compatible with a GPL 3 project
  • compatible with Spring wiring
  • mavenized (ideally available through Maven Central)
+1  A: 

you might find this post usefule - http://stackoverflow.com/questions/75057/what-is-the-best-way-to-check-the-strength-of-a-password

Pangea
Thanks, but I'd already seen that question / answers. And other resources on the web like that. I'm really after a decent existing Java implementation.
Stephen C
+8  A: 

Have a look at vt-password:

  • configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on - Partially (yes to configurable, dictionaries, no to weighted criteria)
  • extensible allowing new criteria to be implemented if required - Yes
  • implemented in pure Java - Yes (and decent javadoc)
  • not fundamentally intertwined with a tag libraries, UI components or "password management" functionality - Yes
  • compatible with a GPL 3 project - is GPL
  • compatible with Spring wiring - Looks like
  • mavenized (ideally available through Maven Central) - Yes (but not in central)
Pascal Thivent
While I do not care about this topic (right now), what a great answer. +1
Yar
Excellent! Thanks!
Stephen C
@Stephen: You're welcome. @Daniel: Thanks, glad you find it (potentially) helpful too.
Pascal Thivent
A couple of points: 1) The rules are configurable, but there is no direct support for configuring via XML or properties files. 2) The rule objects have mutable state (!?!) and are not thread-safe. 3) Some rules have API impediments to wiring via Spring IoC, and (more important) to copying rules. But I'm going to persevere anyway.
Stephen C
@Stephen Interesting feedback, thanks.
Pascal Thivent