DEV Community

Jonas Hämmerle
Jonas Hämmerle

Posted on

Entropy-based password strength scoring (and why 'has a symbol' rules are theater)

"Must contain one uppercase, one number, one symbol" rules produce passwords like Password1! — technically compliant, trivially guessable. Entropy-based scoring is a better signal.

The idea: estimate the search space an attacker would need to brute-force, based on character variety and length, then flag patterns that reduce real entropy below what the raw math suggests (dictionary words, keyboard walks, repeated characters).

Rough approach:

function estimateEntropyBits(password) {
  let poolSize = 0;
  if (/[a-z]/.test(password)) poolSize += 26;
  if (/[A-Z]/.test(password)) poolSize += 26;
  if (/[0-9]/.test(password)) poolSize += 10;
  if (/[^a-zA-Z0-9]/.test(password)) poolSize += 32;
  return Math.log2(poolSize) * password.length;
}
Enter fullscreen mode Exit fullscreen mode

That's the naive version — it overestimates for anything with patterns. A real implementation should also penalize repeated substrings and common dictionary words before trusting the raw bits figure.

I built a fuller version of this (plus the breach-check endpoint from k-anonymity) as part of Validate if you want the batteries-included version.

Top comments (0)