Package com.codahale.passpol

Class PasswordPolicy

  • public class PasswordPolicy
extends java.lang.Object
    A password policy which validates candidate passwords according to NIST's draft SP-800-63B, which recommend passwords have a minimum required length, a maximum required length, ad be checked against a list of weak passwords (SP-800-63B 5.1.1.2).

    This uses a static list of 10,000 weak passwords downloaded from Carey Li's NBP project.

    See Also:
    Draft NIST SP-800-63B, NBP

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static int RECOMMENDED_MAX_LENGTH
      The recommended maximum password length, per SP-800-63B 5.1.1.2.
      static int RECOMMENDED_MIN_LENGTH
      The recommended minimum password length, per SP-800-63B 5.1.1.2.

    • Constructor Summary

      Constructors 
      Constructor Description
      PasswordPolicy()
      Creates a PasswordPolicy with a minimum password length of 8 and a maximum password length of 64, as recommended in SP-800-63B 5.1.1.2.
      PasswordPolicy​(BreachDatabase breachDatabase, int minLength, int maxLength)
      Creates a PasswordPolicy with the given password length requirements.

    • Method Summary

      Modifier and Type Method Description
      Status check​(java.lang.String password)
      Checks the acceptability of a candidate password.
      static byte[] normalize​(java.lang.String password)
      Normalizes the given password as Unicode NFKC and returns it as UTF-8 encoded bytes, ready to be passed to a password hashing algorithm like bcrypt.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • RECOMMENDED_MIN_LENGTH

        public static final int RECOMMENDED_MIN_LENGTH
        The recommended minimum password length, per SP-800-63B 5.1.1.2.
        See Also:
        Constant Field Values

      • RECOMMENDED_MAX_LENGTH

        public static final int RECOMMENDED_MAX_LENGTH
        The recommended maximum password length, per SP-800-63B 5.1.1.2.
        See Also:
        Constant Field Values

    • Constructor Detail

      • PasswordPolicy

        public PasswordPolicy​(BreachDatabase breachDatabase,
                      int minLength,
                      int maxLength)
        Creates a PasswordPolicy with the given password length requirements.
        Parameters:
        minLength - the minimum length of passwords
        maxLength - the maximum length of passwords
        breachDatabase - a BreachDatabase instance

    • Method Detail

      • normalize

        public static byte[] normalize​(java.lang.String password)
        Normalizes the given password as Unicode NFKC and returns it as UTF-8 encoded bytes, ready to be passed to a password hashing algorithm like bcrypt.

        This is the process recommended in NIST SP-800-63B 5.1.1.2.

        Parameters:
        password - an arbitrary string
        Returns:
        a series of bytes suitable for hashing

      • check

        public Status check​(java.lang.String password)
        Checks the acceptability of a candidate password.
        Parameters:
        password - a candidate password
        Returns:
        the status of password