"Must contain one uppercase, one number, one symbol" rules produce passwords like Password1! — technically compliant, trivially guessable. Entropy-based scoring is a better signal.
The idea: estimate the search space an attacker would need to brute-force, based on character variety and length, then flag patterns that reduce real entropy below what the raw math suggests (dictionary words, keyboard walks, repeated characters).
Rough approach:
function estimateEntropyBits(password) {
let poolSize = 0;
if (/[a-z]/.test(password)) poolSize += 26;
if (/[A-Z]/.test(password)) poolSize += 26;
if (/[0-9]/.test(password)) poolSize += 10;
if (/[^a-zA-Z0-9]/.test(password)) poolSize += 32;
return Math.log2(poolSize) * password.length;
}
That's the naive version — it overestimates for anything with patterns. A real implementation should also penalize repeated substrings and common dictionary words before trusting the raw bits figure.
I built a fuller version of this (plus the breach-check endpoint from k-anonymity) as part of Validate if you want the batteries-included version.
Top comments (0)