Recommended releases

Download Released
1.x-1.2.0 (1.87 MB) Sep 18th, 2025 Notes

Password Strength module provides realistic password strength measurement and
server-side enforcement for Backdrop CMS sites using pattern-matching and
entropy calculation. Almost any type of password can be allowed so long as the
password proves to be of high enough entropy.

More Details

How it's different

Other password enforcement tools are simplistic: they work by checking passwords
on explicit rules like character count and amount of varying character types
(symbols, numbers, uppercase letters, etc). A string like “Password1” will prove
acceptable to such systems but are obviously weak and easily brute-forced.

How it works

Instead of checking on strict rules, Password Strength classifies the expected
brute-force time for the summed entropy of common underlying patterns in the
password. Patterns that can be detected in passwords include:

  • Words that are found in a dictionary of common words, common first and last
    names, or common passwords.
  • Words that are found in the dictionary, but with common "1337" or "leet"
    substitutions, such as 4 or @ for a, and 5 for s.
  • Common sequences of letters (abcde), numbers (12345), or characters spatially
    near each other on common keyboards (qwerty).
  • Three or more of the same characters, such as "aaa" or "8888".
  • Dates or years, such as "1921" or "19-11-1978."

Requirements

Password Strength relies on the bundled PHP library
Zxcvbn-PHP for password complexity
measurement. There is no need to download this library.

Installation

Issues

Bugs and Feature Requests should be reported in the Issue Queue:
https://github.com/backdrop-contrib/password_strength/issues.

Current Maintainers

Credits

License

This project is GPL v2 software.
See the LICENSE.txt file in this directory for complete text.

Zxcvbn-PHP is licensed with the MIT License. See the license file at
libraries/ZxcvbnPhp/LICENSE.txt for complete text.