├── Password Generator.html ├── Password Strength Checker (with entropy display).html ├── Password Strength Checker.html ├── README.markdown ├── SensePost.gif ├── Service Desk Password Generator (strong).html ├── Service Desk Password Generator (weak).html └── alternative ├── index.html └── supporting ├── css └── css.css ├── fonts ├── leaguegothic.eot ├── leaguegothic.ttf └── leaguegothic.woff ├── images ├── delete.png ├── error.png ├── favicon.ico ├── information.png └── lock.png └── js ├── dictionary.js ├── hsimp.js └── modernizr.js /Password Generator.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Random Password Generator 6 | 181 | 182 | 186 | 187 | 188 | 189 | 190 | 191 |
SensePost Logo
192 |

SensePost Password Generator

193 |
194 | 195 | 208 | 209 | 231 |
196 | 197 | 198 | 199 | 200 |    201 |
202 |
203 |
204 | 205 | 206 | 207 |
210 | 211 | 217 |
218 | 219 | 220 | 221 |
222 |
223 |
224 |




225 |
226 | 227 |
228 |
229 | 230 |
232 |
233 | 234 | 235 | 236 | -------------------------------------------------------------------------------- /Password Strength Checker (with entropy display).html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Password Strength Test 4 | 5 | 487 | 514 | 515 | 516 | 517 | 518 | 519 |
SensePost Logo
520 |

SensePost Password Strength Checker

521 | 522 | 531 | 532 | 542 | 543 |
523 | 524 |
525 | Enter your password or passphrase here:
526 | 527 |
528 | Loading ... 529 |
530 | 		533 |

Key

534 | 535 | 536 | 537 | 538 | 539 | 540 |
Very Weak passwords should never be used!
Weak passwords can be used for low risk accounts,
but should generally be avoided.
Reasonable passwords should be used by
non-administrative end-users.
Strong passwords should be used by
administrators.
Very strong passwords should be used for critical services or by
automated agents where the password only needs to be input once.
541 |
544 |

545 | Information: Your password does not travel over the network. This application is run on your computer. 546 | 547 | 548 | 549 | -------------------------------------------------------------------------------- /Password Strength Checker.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Password Strength Test 4 | 5 | 487 | 514 | 515 | 516 | 517 | 518 | 519 |

SensePost Logo
520 |

SensePost Password Strength Checker

521 | 522 | 531 | 532 | 542 | 543 |
523 | 524 |
525 | Enter your password or passphrase here:
526 | 527 |
528 | Loading ... 529 |
530 | 		533 |

Key

534 | 535 | 536 | 537 | 538 | 539 | 540 |
Very Weak passwords should never be used!
Weak passwords can be used for low risk accounts,
but should generally be avoided.
Reasonable passwords should be used by
non-administrative end-users.
Strong passwords should be used by
administrators.
Very strong passwords should be used for critical services or by
automated agents where the password only needs to be input once.
541 |
544 |

545 | Information: Your password does not travel over the network. This application is run on your computer. 546 | 547 | 548 | 549 | -------------------------------------------------------------------------------- /README.markdown: -------------------------------------------------------------------------------- 1 | #1. Name 2 | Password Tools 3 | #2. Author 4 | Dominic White < dominic(at)sensepost(dot)com > 5 | #3. License, version & release date 6 | License : GPLv3 7 | Version : v1.0 8 | Release Date : 2010/05/01 9 | 10 | #4. Description 11 | The intention is for the tools to be placed into your organisation's intranet somewhere. I found they came in much use, allowing me to reference a specific tool and setting rather than esoteric password theory in documents. For example, security standards documents would say "Service account passwords should either be generated by the password generator set to the service account setting, or be rated as "very strong" by the password strength checker", which is far more practical than quoting a list of password rules. 12 | 13 | Being centrally hosted also allows updates to be made immediately in the case of a policy change, new common password addition, or bug. This also allowed web logs to provide an audit trail of who was using the tools. Particularly useful in the case of monitoring service desk activity e.g. If the service desk records 100 password resets, and the tool only saw 10 hits, you know something's up. 14 | 15 | ##4.1 Password Strength Checker 16 | 17 | This tool was written in response to the poor attempts at password strength checkers seen on many sites. They do basic checks for upper, lower-case characters and numbers. This allows passwords like "Password1" to be marked as "strong." Primarily based on Tyler Atkins' entropy and common word checker, I put together a more advanced utility. This will check the chosen password for: 18 | 19 | * Length (over 8 characters) 20 | * Character sets (lowercase, uppercase, numbers, special characters) 21 | * Frequency (checks for common sets of characters e.g. "u" following "q", biased to English) 22 | * Common Words (checks that common words aren't used e.g. Password1) 23 | 24 | I've added a progress bar from Gerd Riesselmann, and a key for guidance. I've also eased the password strength requirements to better fit reasonable corporate password policies. These can be easily modified in the code though. 25 | 26 | There are two versions provided, one which displays the results of the entropy calculations, and one which does not (user's rarely care). 27 | 28 | ###4.1.1 Alternative 29 | 30 | howsecureismypassword.net provides a nice, more detailed password strength checker. A somewhat modified version with alerts for corporate complexity requirements, common corporate password bases, and an informational alert if a password contains a common password is included. This is with the permission of the developer, Small Hadron Collider, who should get all the credit. 31 | 32 | ##4.2 Password Generators 33 | 34 | There are three password generators, each with a different audience in mind. 35 | 36 | ###4.2.1 Full Password Generator 37 | 38 | The full password generator is the most complex and has a number of features: 39 | 40 | * Generate random passwords of varying complexity based on a "usage" selector such as "user", "administrator" or "service account". These match up to the complexity key in the strength checker. 41 | * Generate lists of passwords to be used as distributed One-Time-Password lists. This is useful if passwords are regularly required between two parties to avoid using a static password. The list can be delivered via an alternative medium than the data being transmitted, and an agreed rotation period set up, such as a new password to be used "every day" or "every week". 42 | * Create a NATO alphabet version of the password for speaking over the phone with the "will be spoken" option 43 | 44 | The actual password generation code was courtesy of the no-longer-available CryptoMX tools, and the NATO alphabet conversion code was courtesy of L. Bower. 45 | 46 | ###4.2.2 Service Desk Password Generators 47 | 48 | The service desk password generators were created to help the service desk stop resetting everyone's password to the same thing. It's one of the most pervasive security problems in any organisation, the service desk are told to reset passwords to some common password like "abc123", "Password" or "". Most user's know it, and if you do ever investigate service desk password resets, will find some serious abuses going on. This tool is a quick and dirty way to provide more reasonable alternatives for the service desk to use. 49 | 50 | It's basic features are: 51 | 52 | * A very simple interface and instructions 53 | * A basic and somewhat unique password is generated 54 | * A "pronounceable" version of the password is created in the NATO alphabet for speaking over the phone 55 | * The password is copied to the clipboard (IE only) for pasting into whatever reset tool is in use 56 | 57 | There are two versions, the first generates a strong random password, and the second uses one of a list of weak base words, with random numbers put on the end. The second was created after push back from the service desk agents saying that user's were complaining about the random passwords. I don't like the second version, because it is still fairly predictable, and someone internally could pull out the passwords and create a simple password list to feed to any number of tools. If you are going to use the second version, please use your own list of words, ideally several thousand to increase the entropy. The current list was created by taking the top 500 6-digit words from the Unix English (en) dictionary, and removing complex ones. 58 | 59 | These tools where originally written when I was an employee of Deloitte South Africa, and while necessarily under the GPL due to included code, are still published here with permission of them. They have however, been updated since then on SensePost's coin. 60 | 61 | #5. Additional Resources 62 | http://www.sensepost.com/blog/4668.html 63 | 64 | -------------------------------------------------------------------------------- /SensePost.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/SensePost.gif -------------------------------------------------------------------------------- /Service Desk Password Generator (strong).html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Random Password Generator 6 | 141 | 142 | 146 | 147 | 148 | 149 | 150 | 151 |

SensePost Logo
152 |

SensePost Service Desk Password Generator

153 |
154 | 155 | 178 |
156 |
157 | 		158 |

Instructions

159 |
    160 |
  1. Click the "Generate Password" button.
    2. 161 |
  2. The user's new password will appear in the "Password" box.
    3. 162 |
  3. Paste the new password into the new password field of the tool 163 | being used to change the user's password.
    4. 164 |
  4. The "Pronunciation" box is what you should read to the user over 165 | the phone.
    5. 166 |
  5. Ensure the user is forced to change their password at next 167 | logon, if applicable.
    6. 168 |
169 | NB. Do not reset the user's password to something simple, like 170 | "password". 171 |
172 |
173 | 174 |
175 |
176 | 177 |
179 |
180 | 181 | 182 | 183 | -------------------------------------------------------------------------------- /Service Desk Password Generator (weak).html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Password Strength Test 4 | 156 | 157 | 161 | 162 | 163 | 164 | 165 | 166 |
SensePost Logo
167 |

SensePost Service Desk Password Generator

168 |
169 | 170 | 193 |
171 |
172 | 		173 |

Instructions

174 |
    175 |
  1. Click the "Generate Password" button.
    2. 176 |
  2. The user's new password will appear in the "Password" box.
    3. 177 |
  3. Paste the new password into the new password field of the tool 178 | being used to change the user's password.
    4. 179 |
  4. The "Pronunciation" box is what you should read to the user over 180 | the phone.
    5. 181 |
  5. Ensure the user is forced to change their password at next 182 | logon, if applicable.
    6. 183 |
184 | NB. Do not reset the user's password to something simple, like 185 | "password". 186 |
187 |
188 | 189 |
190 |
191 | 192 |
194 |
195 | 196 | 197 | 198 | -------------------------------------------------------------------------------- /alternative/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | How Secure Is My Password? 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 |

How Secure Is My Password?

25 |
26 |

Unfortunately, for security reasons, this site can only run if you have JavaScript enabled. JavaScript is a "client-side" language, which means the code runs on your computer and nothing you type in ever leaves your computer.

27 |

You may be able to turn on JavaScript in your browser's preferences.

28 |
29 | 30 | 33 | 34 | 35 | 36 | 37 | 111 | 112 | 128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /alternative/supporting/css/css.css: -------------------------------------------------------------------------------- 1 | /*! normalize.css 2011-08-12T17:28 UTC · http://github.com/necolas/normalize.css */ 2 | /* ============================================================================= 3 | HTML5 display definitions 4 | ========================================================================== */ 5 | /* 6 | * Corrects block display not defined in IE6/7/8/9 & FF3 7 | */ 8 | article, 9 | aside, 10 | details, 11 | figcaption, 12 | figure, 13 | footer, 14 | header, 15 | hgroup, 16 | nav, 17 | section { 18 | display: block; 19 | } 20 | /* 21 | * Corrects inline-block display not defined in IE6/7/8/9 & FF3 22 | */ 23 | audio, canvas, video { 24 | display: inline-block; 25 | *display: inline; 26 | *zoom: 1; 27 | } 28 | /* 29 | * Prevents modern browsers from displaying 'audio' without controls 30 | */ 31 | audio:not([controls]) { 32 | display: none; 33 | } 34 | /* 35 | * Addresses styling for 'hidden' attribute not present in IE7/8/9, FF3, S4 36 | * Known issue: no IE6 support 37 | */ 38 | [hidden] { 39 | display: none; 40 | } 41 | /* ============================================================================= 42 | Base 43 | ========================================================================== */ 44 | /* 45 | * 1. Corrects text resizing oddly in IE6/7 when body font-size is set using em units 46 | * http://clagnut.com/blog/348/#c790 47 | * 2. Keeps page centred in all browsers regardless of content height 48 | * 3. Prevents iOS text size adjust after orientation change, without disabling user zoom 49 | * www.456bereastreet.com/archive/201012/controlling_text_size_in_safari_for_ios_without_disabling_user_zoom/ 50 | */ 51 | html { 52 | font-size: 100%; 53 | /* 1 */ 54 | 55 | overflow-y: scroll; 56 | /* 2 */ 57 | 58 | -webkit-text-size-adjust: 100%; 59 | /* 3 */ 60 | 61 | -ms-text-size-adjust: 100%; 62 | /* 3 */ 63 | 64 | } 65 | /* 66 | * Addresses margins handled incorrectly in IE6/7 67 | */ 68 | body { 69 | margin: 0; 70 | } 71 | /* 72 | * Addresses font-family inconsistency between 'textarea' and other form elements. 73 | */ 74 | body, 75 | button, 76 | input, 77 | select, 78 | textarea { 79 | font-family: sans-serif; 80 | } 81 | /* ============================================================================= 82 | Links 83 | ========================================================================== */ 84 | a { 85 | color: #00e; 86 | } 87 | a:visited { 88 | color: #551a8b; 89 | } 90 | /* 91 | * Addresses outline displayed oddly in Chrome 92 | */ 93 | a:focus { 94 | outline: thin dotted; 95 | } 96 | /* 97 | * Improves readability when focused and also mouse hovered in all browsers 98 | * people.opera.com/patrickl/experiments/keyboard/test 99 | */ 100 | a:hover, a:active { 101 | outline: 0; 102 | } 103 | /* ============================================================================= 104 | Typography 105 | ========================================================================== */ 106 | /* 107 | * Addresses styling not present in IE7/8/9, S5, Chrome 108 | */ 109 | abbr[title] { 110 | border-bottom: 1px dotted; 111 | } 112 | /* 113 | * Addresses style set to 'bolder' in FF3/4, S4/5, Chrome 114 | */ 115 | b, strong { 116 | font-weight: bold; 117 | } 118 | blockquote { 119 | margin: 1em 40px; 120 | } 121 | /* 122 | * Addresses styling not present in S5, Chrome 123 | */ 124 | dfn { 125 | font-style: italic; 126 | } 127 | /* 128 | * Addresses styling not present in IE6/7/8/9 129 | */ 130 | mark { 131 | background: #ff0; 132 | color: #000; 133 | } 134 | /* 135 | * Corrects font family set oddly in IE6, S4/5, Chrome 136 | * en.wikipedia.org/wiki/User:Davidgothberg/Test59 137 | */ 138 | pre, 139 | code, 140 | kbd, 141 | samp { 142 | font-family: monospace, serif; 143 | _font-family: 'courier new', monospace; 144 | font-size: 1em; 145 | } 146 | /* 147 | * Improves readability of pre-formatted text in all browsers 148 | */ 149 | pre { 150 | white-space: pre; 151 | white-space: pre-wrap; 152 | word-wrap: break-word; 153 | } 154 | /* 155 | * 1. Addresses CSS quotes not supported in IE6/7 156 | * 2. Addresses quote property not supported in S4 157 | */ 158 | /* 1 */ 159 | q { 160 | quotes: none; 161 | } 162 | /* 2 */ 163 | q:before, q:after { 164 | content: ''; 165 | content: none; 166 | } 167 | small { 168 | font-size: 75%; 169 | } 170 | /* 171 | * Prevents sub and sup affecting line-height in all browsers 172 | * gist.github.com/413930 173 | */ 174 | sub, sup { 175 | font-size: 75%; 176 | line-height: 0; 177 | position: relative; 178 | vertical-align: baseline; 179 | } 180 | sup { 181 | top: -0.5em; 182 | } 183 | sub { 184 | bottom: -0.25em; 185 | } 186 | /* ============================================================================= 187 | Lists 188 | ========================================================================== */ 189 | ul, ol { 190 | margin: 1em 0; 191 | padding: 0 0 0 40px; 192 | } 193 | dd { 194 | margin: 0 0 0 40px; 195 | } 196 | nav ul, nav ol { 197 | list-style: none; 198 | list-style-image: none; 199 | } 200 | /* ============================================================================= 201 | Embedded content 202 | ========================================================================== */ 203 | /* 204 | * 1. Removes border when inside 'a' element in IE6/7/8/9 205 | * 2. Improves image quality when scaled in IE7 206 | * code.flickr.com/blog/2008/11/12/on-ui-quality-the-little-things-client-side-image-resizing/ 207 | */ 208 | img { 209 | border: 0; 210 | margin: 0 auto; 211 | /*max-width: 960px; 212 | width: 80%;*/ 213 | /* 1 */ 214 | 215 | -ms-interpolation-mode: bicubic; 216 | /* 2 */ 217 | 218 | } 219 | /* 220 | * Corrects overflow displayed oddly in IE9 221 | */ 222 | svg:not(:root) { 223 | overflow: hidden; 224 | } 225 | /* ============================================================================= 226 | Figures 227 | ========================================================================== */ 228 | /* 229 | * Addresses margin not present in IE6/7/8/9, S5, O11 230 | */ 231 | figure { 232 | margin: 0; 233 | } 234 | /* ============================================================================= 235 | Forms 236 | ========================================================================== */ 237 | /* 238 | * Corrects margin displayed oddly in IE6/7 239 | */ 240 | form { 241 | margin: 0; 242 | } 243 | /* 244 | * Define consistent margin and padding 245 | */ 246 | fieldset { 247 | margin: 0 2px; 248 | padding: 0.35em 0.625em 0.75em; 249 | } 250 | /* 251 | * 1. Corrects color not being inherited in IE6/7/8/9 252 | * 2. Corrects alignment displayed oddly in IE6/7 253 | */ 254 | legend { 255 | border: 0; 256 | /* 1 */ 257 | 258 | *margin-left: -7px; 259 | /* 2 */ 260 | 261 | } 262 | /* 263 | * 1. Corrects font size not being inherited in all browsers 264 | * 2. Addresses margins set differently in IE6/7, F3/4, S5, Chrome 265 | * 3. Improves appearance and consistency in all browsers 266 | */ 267 | button, 268 | input, 269 | select, 270 | textarea { 271 | font-size: 100%; 272 | /* 1 */ 273 | 274 | margin: 0; 275 | /* 2 */ 276 | 277 | vertical-align: baseline; 278 | /* 3 */ 279 | 280 | *vertical-align: middle; 281 | /* 3 */ 282 | 283 | } 284 | /* 285 | * 1. Addresses FF3/4 setting line-height using !important in the UA stylesheet 286 | * 2. Corrects inner spacing displayed oddly in IE6/7 287 | */ 288 | button, input { 289 | line-height: normal; 290 | /* 1 */ 291 | 292 | *overflow: visible; 293 | /* 2 */ 294 | 295 | } 296 | /* 297 | * Corrects overlap and whitespace issue for buttons and inputs in IE6/7 298 | * Known issue: reintroduces inner spacing 299 | */ 300 | table button, table input { 301 | *overflow: auto; 302 | } 303 | /* 304 | * 1. Improves usability and consistency of cursor style between image-type 'input' and others 305 | * 2. Corrects inability to style clickable 'input' types in iOS 306 | */ 307 | button, 308 | html input[type="button"], 309 | input[type="reset"], 310 | input[type="submit"] { 311 | cursor: pointer; 312 | /* 1 */ 313 | 314 | -webkit-appearance: button; 315 | /* 2 */ 316 | 317 | } 318 | /* 319 | * 1. Addresses box sizing set to content-box in IE8/9 320 | * 2. Addresses excess padding in IE8/9 321 | */ 322 | input[type="checkbox"], input[type="radio"] { 323 | box-sizing: border-box; 324 | /* 1 */ 325 | 326 | padding: 0; 327 | /* 2 */ 328 | 329 | } 330 | /* 331 | * 1. Addresses appearance set to searchfield in S5, Chrome 332 | * 2. Addresses box sizing set to border-box in S5, Chrome (include -moz to future-proof) 333 | */ 334 | input[type="search"] { 335 | -webkit-appearance: textfield; 336 | /* 1 */ 337 | 338 | -moz-box-sizing: content-box; 339 | -webkit-box-sizing: content-box; 340 | /* 2 */ 341 | 342 | box-sizing: content-box; 343 | } 344 | /* 345 | * Corrects inner padding displayed oddly in S5, Chrome on OSX 346 | */ 347 | input[type="search"]::-webkit-search-decoration { 348 | -webkit-appearance: none; 349 | } 350 | /* 351 | * Corrects inner padding and border displayed oddly in FF3/4 352 | * www.sitepen.com/blog/2008/05/14/the-devils-in-the-details-fixing-dojos-toolbar-buttons/ 353 | */ 354 | button::-moz-focus-inner, input::-moz-focus-inner { 355 | border: 0; 356 | padding: 0; 357 | } 358 | /* 359 | * 1. Removes default vertical scrollbar in IE6/7/8/9 360 | * 2. Improves readability and alignment in all browsers 361 | */ 362 | textarea { 363 | overflow: auto; 364 | /* 1 */ 365 | 366 | vertical-align: top; 367 | /* 2 */ 368 | 369 | } 370 | /* ============================================================================= 371 | Tables 372 | ========================================================================== */ 373 | /* 374 | * Remove most spacing between table cells 375 | */ 376 | table { 377 | border-collapse: collapse; 378 | border-spacing: 0; 379 | } 380 | @font-face { 381 | font-family: 'LeagueGothic'; 382 | src: url('../fonts/leaguegothic.eot'); 383 | src: local('☺'), url('../fonts/leaguegothic.woff') format('woff'), url('../fonts/leaguegothic.ttf') format('truetype'); 384 | } 385 | html { 386 | background: #FAFAFF; 387 | height: auto; 388 | min-height: 100%; 389 | position: relative; 390 | } 391 | body { 392 | color: #445; 393 | font-family: Georgia, serif; 394 | margin: 0 auto; 395 | max-width: 960px; 396 | width: 80%; 397 | } 398 | a { 399 | color: #fe771e; 400 | } 401 | h1, 402 | h2, 403 | h3, 404 | h4, 405 | h5, 406 | h6 { 407 | font-family: LeagueGothic, Helvetica, Arial, sans-serif; 408 | font-weight: bold; 409 | margin: 0; 410 | text-transform: uppercase; 411 | } 412 | input, p { 413 | margin: 1em auto; 414 | display: block; 415 | } 416 | #password { 417 | border: 5px solid #445; 418 | -webkit-border-radius: 5px; 419 | -moz-border-radius: 5px; 420 | border-radius: 5px; 421 | color: #667; 422 | font-size: 2em; 423 | margin-bottom: 0.5em; 424 | outline: none; 425 | padding: 0.25em; 426 | text-align: center; 427 | -webkit-transition: all 0.25s ease-in-out; 428 | width: 80%; 429 | } 430 | h1 { 431 | font-family: LeagueGothic, Helvetica, Arial, sans-serif; 432 | font-size: 3em; 433 | letter-spacing: -0.05em; 434 | line-height: 0.75em; 435 | margin-top: 1em; 436 | width: 100%; 437 | text-align: center; 438 | text-transform: uppercase; 439 | } 440 | h1 a, h1 a:visited { 441 | color: #445; 442 | text-decoration: none; 443 | } 444 | .fontface h1 { 445 | font-size: 7em; 446 | margin-top: 0.3em; 447 | } 448 | #result { 449 | text-align: center; 450 | } 451 | #result span { 452 | font-size: 2em; 453 | } 454 | ul#warnings { 455 | font-size: 0.8em; 456 | margin: 1em 0; 457 | padding: 0; 458 | } 459 | ul#warnings li { 460 | background-repeat: no-repeat; 461 | background-position: 5px center; 462 | -webkit-border-radius: 5px; 463 | -moz-border-radius: 5px; 464 | border-radius: 5px; 465 | font-family: sans-serif; 466 | list-style: none; 467 | margin: 5px auto; 468 | padding: 5px 5px 5px 31px; 469 | text-align: left; 470 | width: 50%; 471 | } 472 | ul#warnings li h3 { 473 | font-family: sans-serif; 474 | font-size: 1em; 475 | font-weight: bold; 476 | margin: 0; 477 | padding: 0; 478 | text-transform: capitalize; 479 | } 480 | ul#warnings li p { 481 | margin: 0; 482 | } 483 | ul#warnings li.advice { 484 | background-color: #EEF; 485 | background-image: url('../images/information.png'); 486 | border: 1px solid #AAC; 487 | } 488 | ul#warnings li.advice h3 { 489 | color: #337; 490 | } 491 | ul#warnings li.achievement { 492 | background-color: #EFE; 493 | background-image: url('../images/lock.png'); 494 | border: 1px solid #ACA; 495 | } 496 | ul#warnings li.achievement h3 { 497 | color: #373; 498 | } 499 | ul#warnings li.insecure { 500 | background-color: #FEE; 501 | background-image: url('../images/delete.png'); 502 | border: 2px solid #D55; 503 | font-size: 1.2em; 504 | margin-bottom: 1em; 505 | padding: 8px 10px 8px 31px; 506 | width: 55%; 507 | } 508 | ul#warnings li.insecure h3 { 509 | color: #A22; 510 | } 511 | ul#warnings li.warning { 512 | background-color: #FFD; 513 | background-image: url('../images/error.png'); 514 | border: 1px solid #eca; 515 | } 516 | ul#warnings li.warning h3 { 517 | color: #D72; 518 | } 519 | article { 520 | margin: 2em auto; 521 | width: 70%; 522 | } 523 | article h2 { 524 | font-size: 2em; 525 | } 526 | article h3 { 527 | font-size: 1.5em; 528 | } 529 | article ul { 530 | margin-top: 1em; 531 | } 532 | article ul li { 533 | margin-top: 1em; 534 | } 535 | p.plug { 536 | margin: 2em 0 0; 537 | text-align: center; 538 | } 539 | div.advert { 540 | border-top: 1px solid black; 541 | border-bottom: 1px solid black; 542 | margin-top: 3.9375em; 543 | margin-bottom: 2.625em; 544 | margin-left: auto; 545 | margin-right: auto; 546 | text-align: center; 547 | width: 85%; 548 | } 549 | div.advert p { 550 | font-size: 1em; 551 | line-height: 1.3125em; 552 | margin-top: 0em; 553 | margin-bottom: 1.3125em; 554 | } 555 | div.advert h2 { 556 | margin: -0.5em auto 0.5em; 557 | background: #FAFAFF; 558 | width: 6em; 559 | } 560 | div.advert ins ins { 561 | padding: 0 20px 1.3125em !important; 562 | } 563 | footer { 564 | font-family: Georgia, serif; 565 | font-size: 0.8em; 566 | margin: 3em auto; 567 | text-align: center; 568 | width: 80%; 569 | } 570 | div#donate { 571 | text-align: center; 572 | } 573 | div#donate form, div#donate button, div#donate input { 574 | display: inline; 575 | } 576 | div#donate .button { 577 | background: #334; 578 | border: 1px solid #445; 579 | -webkit-border-radius: 5px; 580 | -moz-border-radius: 5px; 581 | border-radius: 5px; 582 | color: #EEF; 583 | font-family: Georgia, serif; 584 | margin: 0 5px; 585 | padding: 5px 7px; 586 | text-decoration: none; 587 | -webkit-transition: background 1s ease-in-out; 588 | -moz-transition: background 1s ease-in-out; 589 | -o-transition: background 1s ease-in-out; 590 | transition: background 1s ease-in-out; 591 | } 592 | div#donate .button:hover { 593 | background: #667; 594 | -webkit-transition: background 0.25s ease-in-out; 595 | -moz-transition: background 0.25s ease-in-out; 596 | -o-transition: background 0.25s ease-in-out; 597 | transition: background 0.25s ease-in-out; 598 | } 599 | a#donate { 600 | position: absolute; 601 | bottom: 0; 602 | cursor: pointer; 603 | right: 0; 604 | -webkit-transition: opacity 1s ease-in-out; 605 | -moz-transition: opacity 1s ease-in-out; 606 | -o-transition: opacity 1s ease-in-out; 607 | transition: opacity 1s ease-in-out; 608 | } 609 | a#donate img { 610 | position: absolute; 611 | cursor: pointer; 612 | bottom: 0; 613 | right: 0; 614 | } 615 | a#donate:hover { 616 | opacity: 0.75; 617 | -webkit-transition: opacity 0.25s ease-in-out; 618 | -moz-transition: opacity 0.25s ease-in-out; 619 | -o-transition: opacity 0.25s ease-in-out; 620 | transition: opacity 0.25s ease-in-out; 621 | } 622 | @media screen and (max-width: 900px) { 623 | .fontface h1 { 624 | font-size: 5em !important; 625 | } 626 | a#donate img { 627 | height: 110px; 628 | width: 110px; 629 | } 630 | div.advert { 631 | width: 100%; 632 | } 633 | } 634 | @media screen and (max-width: 600px) { 635 | .fontface h1 { 636 | font-size: 4em !important; 637 | } 638 | article, #password, #warnings li { 639 | width: 85% !important; 640 | } 641 | html { 642 | -webkit-text-size-adjust: none; 643 | -ms-text-size-adjust: none; 644 | } 645 | a#donate img { 646 | height: 80px; 647 | width: 80px; 648 | } 649 | } 650 | @media screen and (max-width: 300px) { 651 | .fontface h1 { 652 | font-size: 2em !important; 653 | } 654 | a#donate img { 655 | height: 50px; 656 | width: 50px; 657 | } 658 | } 659 | -------------------------------------------------------------------------------- /alternative/supporting/fonts/leaguegothic.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/fonts/leaguegothic.eot -------------------------------------------------------------------------------- /alternative/supporting/fonts/leaguegothic.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/fonts/leaguegothic.ttf -------------------------------------------------------------------------------- /alternative/supporting/fonts/leaguegothic.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/fonts/leaguegothic.woff -------------------------------------------------------------------------------- /alternative/supporting/images/delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/images/delete.png -------------------------------------------------------------------------------- /alternative/supporting/images/error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/images/error.png -------------------------------------------------------------------------------- /alternative/supporting/images/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/images/favicon.ico -------------------------------------------------------------------------------- /alternative/supporting/images/information.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/images/information.png -------------------------------------------------------------------------------- /alternative/supporting/images/lock.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sensepost/password-tools/46191d2b5ca508f056cd52ba7798f3ef8e34752e/alternative/supporting/images/lock.png -------------------------------------------------------------------------------- /alternative/supporting/js/hsimp.js: -------------------------------------------------------------------------------- 1 | var HSIMP = {}; 2 | HSIMP.model = { 3 | password:'',calculationsPerSecond:250000000 4 | }; 5 | 6 | HSIMP.match = function(match,length) { 7 | return { 8 | match:match,length:length 9 | }; 10 | }; 11 | 12 | HSIMP.matches = { 13 | 'ASCII Lowercase':HSIMP.match(/[a-z]/,26),'ASCII Uppercase':HSIMP.match(/[A-Z]/,26),'ASCII Numbers':HSIMP.match(/\d/,10),'ASCII Top Row Symbols':HSIMP.match(/[!@£#\$%\^&\*\(\)\-_=\+]/,15),'ASCII Other Symbols':HSIMP.match(/[\?\/\.>\,<`~\\|"';:\]\}\[\{\s]/,19),'Unicode Latin 1 Supplement':HSIMP.match(/[\u00A1-\u00FF]/,94),'Unicode Latin Extended A':HSIMP.match(/[\u0100-\u017F]/,128),'Unicode Latin Extended B':HSIMP.match(/[\u0180-\u024F]/,208),'Unicode Latin Extended C':HSIMP.match(/[\u2C60-\u2C7F]/,32),'Unicode Latin Extended D':HSIMP.match(/[\uA720-\uA7FF]/,29),'Unicode Cyrillic Uppercase':HSIMP.match(/[\u0410-\u042F]/,32),'Unicode Cyrillic Lowercase':HSIMP.match(/[\u0430-\u044F]/,32) 14 | }; 15 | 16 | HSIMP.largeNumbers = { 17 | 'thousand':1e3,'million':1e6,'billion':1e9,'trillion':1e12,'quadrillion':1e15,'quintillion':1e18,'sextillion':1e21,'septillion':1e24,'octillion':1e27,'nonillion':1e30,'decillion':1e33,'undecillion':1e36,'duodecillion':1e39,'tredecillion':1e42,'quattuordecillion':1e45,'quindecillion':1e48,'sexdecillion':1e51,'septendecillion':1e54,'octodecillion':1e57,'novemdecillion':1e60,'vigintillion':1e63,'unvigintillion':1e66,'duovigintillion':1e69,'tresvigintillion':1e72,'quattuorvigintillion':1e75,'quinquavigintillion':1e78,'sesvigintillion':1e81,'septemvigintillion':1e84,'octovigintillion':1e87,'novemvigintillion':1e90,'trigintillion':1e93,'untrigintillion':1e96,'duotrigintillion':1e99,'googol':1e100,'trestrigintillion':1e102,'quattuortrigintillion':1e105,'quinquatrigintillion':1e108,'sestrigintillion':1e111,'septentrigintillion':1e114,'octotrigintillion':1e117,'noventrigintillion':1e120,'quadragintillion':1e123,'quinquagintillion':1e153,'sexagintillion':1e183,'septuagintillion':1e213,'octogintillion':1e243,'nonagintillion':1e273 18 | }; 19 | 20 | HSIMP.period = function(period,inSecs,plural) { 21 | plural = plural || false; 22 | return { 23 | period:period,inSecs:inSecs,plural:plural 24 | }; 25 | }; 26 | 27 | HSIMP.periods = (function() { 28 | var i,current,inSecs,periods=[HSIMP.period('second',1,true),HSIMP.period('minute',60,true),HSIMP.period('hour',3600,true),HSIMP.period('day',86400,true),HSIMP.period('year',31556926,true)],sort=function(a,b) { 29 | return(a.inSecs < b.inSecs)? - 1:1; 30 | }; 31 | 32 | for (i in HSIMP.largeNumbers) { 33 | if (HSIMP.largeNumbers.hasOwnProperty(i)) { 34 | inSecs = HSIMP.largeNumbers[i] * 31556926; 35 | if (inSecs !== Infinity) { 36 | current = HSIMP.period(i + ' years',inSecs); 37 | periods.push(current); 38 | } 39 | } 40 | } 41 | periods.sort(sort); 42 | return periods; 43 | }()); 44 | 45 | HSIMP.check = function(password) { 46 | var checks = { 47 | results: {},insecure:false 48 | },result,i;for (i in HSIMP.checks) { 49 | if (HSIMP.checks.hasOwnProperty(i)) { 50 | result = HSIMP.checks[i](password); 51 | if (result !== undefined) { 52 | checks.results[i] = result; 53 | if (result.level === 'insecure') { 54 | checks.insecure = true; 55 | } 56 | } 57 | } 58 | } 59 | return checks; 60 | }; 61 | 62 | HSIMP.checks = { 63 | 'Repeated Pattern':function(password) { 64 | var results = password.match(/(.+)\1{2,}/gi); 65 | if (results) { 66 | return { 67 | level:'warning',short:'Repeated characters or patterns can make your password more predictable',long:'' 68 | }; 69 | } 70 | },'Common Password':function(password) { 71 | var i = (HSIMP.commonPasswords && HSIMP.commonPasswords.length) || 0,rank; 72 | while(i--) { 73 | if (password.toLowerCase()===HSIMP.commonPasswords[i]) { 74 | rank = HSIMP.formatNumber(Math.ceil((i + 1)/10) * 10); 75 | return { 76 | level:'insecure',subtitle:'In the top ' + rank + ' most used passwords',short:'Your password is very commonly used. It would be cracked almost instantly.',long:'' 77 | }; 78 | } 79 | } 80 | },'Possibly a Word':function(password) { 81 | if (password.match(/^[a-zA-Z]+$/)) { 82 | return { 83 | level:'warning',short:'Repeated characters or patterns can make your password more predictable',long:'' 84 | }; 85 | } 86 | },'Contains a Common Word':function(password) { 87 | var i=(HSIMP.commonPasswords&&HSIMP.commonPasswords.length) || 0,rank; 88 | while(i--) { 89 | var re = new RegExp(HSIMP.commonPasswords[i].replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"),"i"); 90 | /*var re = new RegExp("password","i");*/ 91 | var results = password.match(re); 92 | if (results) { 93 | rank=HSIMP.formatNumber(Math.ceil((i+1)/10)*10); 94 | return { 95 | level:'advice',subtitle:'This contains a word in the top '+rank+' most used passwords',short:'Your password could be similar to a commonly used one.',long:'' 96 | }; 97 | } 98 | } 99 | },'Possibly a Word':function(password) { 100 | if (password.match(/^[a-zA-Z]+$/)) { 101 | return { 102 | level:'warning',short:'Your password looks like it could be a dictionary word or a name. If it\'s a name with personal significance it might be easy to guess. If it\'s a dictionary word it could be cracked very quickly.',long:'' 103 | }; 104 | } 105 | },'Possibly a Telephone Number / Date':function(password) { 106 | if (password.match(/^[\-\(\)\.\/\s0-9]+$/)) { 107 | return { 108 | level:'warning',short:'Your password looks like it might be a telephone number or a date. If it is and it has personal significance then it might be very easy for someone to guess.',long:'' 109 | }; 110 | } 111 | },'Possibly a Word Followed by a Number':function(password) { 112 | if (password.match(/^[a-zA-Z]+[0-9]{1,4}$/)) { 113 | return { 114 | level:'warning',short:'Your password looks like it might be a word followed by a few digits. This is a very common pattern and would probably be cracked quite quickly.',long:'' 115 | }; 116 | } 117 | },'Length':function(password) { 118 | if (password.length<8) { 119 | return { 120 | level:'warning',subtitle:'Very short',short:'Your password is very short. The longer a password is the more secure it will be. Additionally, SensePost requires a minimum of 8 characters.',long:'' 121 | }; 122 | } else if (password.length<10) { 123 | return { 124 | level:'advice',subtitle:'Short',short:'Your password is quite short. The longer a password is the more secure it will be.',long:'' 125 | }; 126 | } else if (password.length>15) { 127 | return { 128 | level:'achievement',subtitle:'Long',short:'Your password is over 16 characters long. It should be pretty safe.',long:'' 129 | }; 130 | } 131 | },'Character Variety':function(password) { 132 | if (password.match(/^[A-Za-z]+$/)) { 133 | return{ 134 | level:'warning',subtitle:'Just Letters',short:'Your password only contains letters. Adding numbers and symbols can make your password more secure. Additionally, SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 135 | }; 136 | } else if (password.match(/^[A-Z0-9]+$/)) { 137 | return { 138 | level:'warning',subtitle:'Missing Character Set',short:'Your password only contains numbers and UPPERCASE letters. Adding a symbol or lowercase letters can make your password more secure. Don\'t forget you can often use spaces in passwords. Additionally, SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 139 | }; 140 | } else if (password.match(/^[a-z0-9]+$/)) { 141 | return { 142 | level:'warning',subtitle:'Missing Character Set',short:'Your password only contains numbers and lowercase letters. Adding a symbol or UPPERCASE letters can make your password more secure. Don\'t forget you can often use spaces in passwords. Additionally, SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 143 | }; 144 | } else if (password.match(/^[A-Z!@#$%^&*()_+-=\[\]\{\};'\\:"|,.\/<>?±§~`]+$/)) { 145 | return { 146 | level:'warning',subtitle:'Missing Character Set',short:'Your password only contains UPPERCASE letters and special characters. Adding a number or lowercase letters can make your password more secure. SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 147 | }; 148 | } else if (password.match(/^[a-z!@#$%^&*()_+-=\[\]\{\};'\\:"|,.\/<>?±§~`]+$/)) { 149 | return { 150 | level:'warning',subtitle:'Missing Character Set',short:'Your password only contains lowercase letters and special characters. Adding a number or UPPERCASE letters can make your password more secure. SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 151 | }; 152 | } else if (password.match(/^[0-9!@#$%^&*()_+-=\[\]\{\};'\\:"|,.\/<>?±§~`]+$/)) { 153 | return { 154 | level:'warning',subtitle:'Missing Character Set',short:'Your password only contains numbers and special characters. Adding a lowercase or UPPERCASE letter can make your password more secure. SensePost requires at least one character from three of the following four categories; UPPERCASE, lowercase, numbers of special characters.',long:'' 155 | }; 156 | } else if (password.match(/^[A-Za-z0-9]+$/)) { 157 | return { 158 | level:'advice',subtitle:'No Symbols',short:'Your password only contains numbers and letters. Adding a symbol can make your password more secure. Don\'t forget you can often use spaces in passwords.',long:'' 159 | }; 160 | } else if (password.match(/[^A-Za-z0-9\u0000-\u007E]/)) { 161 | return { 162 | level:'achievement',subtitle:'Non-Standard Character',short:'Your password contains a non-keyboard character. This should make it more secure.',long:'' 163 | }; 164 | } 165 | } 166 | }; 167 | 168 | HSIMP.formatChecks = function(checks,parent) { 169 | var i,j,len,checkNames=['insecure','warning','advice','achievement'],listItems=(function() { 170 | var result = {}; 171 | len = checkNames.length; 172 | for (i=0;i 1?'.' + split[1]:''; 288 | while(rgx.test(integer)) { 289 | integer = integer.replace(rgx,'$1' + ',' + '$2'); 290 | } 291 | return integer + decimal; 292 | }; 293 | 294 | HSIMP.convertToNumber = function(string) { 295 | var result = {},replace=function(match) { 296 | var value,exp;if (HSIMP.largeNumbers[match]) { 297 | value = HSIMP.largeNumbers[match]; 298 | value += ''; 299 | exp = value.match(/^1e\+([\d]+)$/); 300 | if (exp && exp[1]) { 301 | value = ''; 302 | while(exp[1]--) { 303 | value += '0'; 304 | } 305 | } else { 306 | value = value.replace(/^1/,''); 307 | } 308 | return value; 309 | } 310 | }; 311 | 312 | string = string.replace(/[a-zA-z]+/g,replace); 313 | string = string.replace(/[^\d\.]/g,''); 314 | result.numeric = string; 315 | result.formatted = HSIMP.formatNumber(string); 316 | return result; 317 | }; 318 | 319 | -------------------------------------------------------------------------------- /alternative/supporting/js/modernizr.js: -------------------------------------------------------------------------------- 1 | /* Modernizr 2.0.6 (Custom Build) | MIT & BSD 2 | * Contains: fontface | iepp | cssclasses | teststyles 3 | */ 4 | ;window.Modernizr=function(a,b,c){function y(a,b){return!!~(""+a).indexOf(b)}function x(a,b){return typeof a===b}function w(a,b){return v(prefixes.join(a+";")+(b||""))}function v(a){k.cssText=a}var d="2.0.6",e={},f=!0,g=b.documentElement,h=b.head||b.getElementsByTagName("head")[0],i="modernizr",j=b.createElement(i),k=j.style,l,m=Object.prototype.toString,n={},o={},p={},q=[],r=function(a,c,d,e){var f,h,j,k=b.createElement("div");if(parseInt(d,10))while(d--)j=b.createElement("div"),j.id=e?e[d]:i+(d+1),k.appendChild(j);f=["­",""].join(""),k.id=i,k.innerHTML+=f,g.appendChild(k),h=c(k,a),k.parentNode.removeChild(k);return!!h},s,t={}.hasOwnProperty,u;!x(t,c)&&!x(t.call,c)?u=function(a,b){return t.call(a,b)}:u=function(a,b){return b in a&&x(a.constructor.prototype[b],c)};var z=function(a,c){var d=a.join(""),f=c.length;r(d,function(a,c){var d=b.styleSheets[b.styleSheets.length-1],g=d.cssRules&&d.cssRules[0]?d.cssRules[0].cssText:d.cssText||"",h=a.childNodes,i={};while(f--)i[h[f].id]=h[f];e.fontface=/src/i.test(g)&&g.indexOf(c.split(" ")[0])===0},f,c)}(['@font-face {font-family:"font";src:url("https://")}'],["fontface"]);n.fontface=function(){return e.fontface};for(var A in n)u(n,A)&&(s=A.toLowerCase(),e[s]=n[A](),q.push((e[s]?"":"no-")+s));v(""),j=l=null,a.attachEvent&&function(){var a=b.createElement("div");a.innerHTML="";return a.childNodes.length!==1}()&&function(a,b){function s(a){var b=-1;while(++b