UNPKG

nist-password-validator

Version:

A lightweight, zero-dependencies open-source password validator according to NIST guidelines.

github.com/ypreiser/NIST-password-ts

ypreiser/NIST-password-ts

240 lines (166 loc) 7.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
## **NIST Password Validator Library** A lightweight, zero-dependency open-source password validator adhering to NIST guidelines. Try it out: [Test the library with a user-friendly front-end demo site.](https://nist-password-validator.netlify.app/) --- ### **Introduction** This library provides a robust solution for password validation based on the [NIST Digital Identity Guidelines (SP 800-63B)](https://pages.nist.gov/800-63-4/sp800-63b.html). It promotes modern password security with support for Unicode, breach checks, customizable rules, and advanced features like error limits for flexible feedback. --- ### **Why NIST Guidelines?** Passwords are a cornerstone of digital security. The National Institute of Standards and Technology (NIST) has established guidelines to improve password policies with principles like: - **Minimum Length**: At least **8 characters**; **15+ recommended**. - **Maximum Length**: Support up to **64+ characters**. - **No Arbitrary Composition Rules**: Avoid forcing special characters or case mixing. - **Unicode Support**: Inclusive acceptance of all Unicode characters. - **Compromised Password Checks**: Block passwords found in breaches. - **Blocklist with Fuzzy Matching**: Prevent predictable or context-specific terms. This library implements these principles to enhance security and usability. --- ### **Features** - **NIST-Compliant Validation**: - Unicode-based minimum/maximum length checks. - Smart whitespace handling. - **Error Limiting**: - Control the number of errors returned for a password. - Balance detailed feedback and performance. - **HIBP Integration**: - Check passwords against the **Have I Been Pwned (HIBP)** breach database. - **Blocklist with Fuzzy Matching**: - Detect passwords similar to blocklisted terms. - Customizable sensitivity and matching rules. - **Flexible Configuration**: - Adjustable length limits, blocklists, and sensitivity. - Toggle HIBP checks for local environments. --- ### **Installation** Install via npm: ```bash npm install nist-password-validator ``` --- ### **Usage** #### **Basic Example** ```typescript import { validatePassword } from "nist-password-validator"; async function checkPassword() { const result = await validatePassword("examplepassword"); if (!result.isValid) { console.log("Password validation failed:", result.errors); } else { console.log("Password is valid!"); } } checkPassword(); ``` #### **Using the PasswordValidator Class** For scenarios where you need to reuse the same validation configuration or update it dynamically: ```typescript import { PasswordValidator } from "nist-password-validator"; // Create a validator with initial options const validator = new PasswordValidator({ minLength: 8, maxLength: 64, blocklist: ["password", "admin"], }); // Validate a password async function validateWithClass() { const result = await validator.validate("mypassword123"); console.log(result.isValid ? "Valid!" : "Invalid:", result.errors); } // Update configuration as needed validator.updateConfig({ minLength: 12, // This will merge with existing config errorLimit: 2, }); // Validate again with new config validateWithClass(); ``` The `PasswordValidator` class provides several benefits: - **Reusable Configuration**: Create a validator instance with your preferred settings - **Dynamic Updates**: Change validation rules on the fly with `updateConfig` - **Consistent Validation**: Ensure the same rules are applied across multiple password checks - **Memory Efficient**: Reuse the same validator instance instead of creating new configurations Methods: - `constructor(options?: ValidationOptions)`: Create a new validator with optional initial options - `validate(password: string): Promise<ValidationResult>`: Validate a password using current configuration - `updateConfig(options: ValidationOptions): void`: Update the current configuration by merging new options #### **Custom Configuration** ```typescript async function checkCustomPassword() { const result = await validatePassword("myp@ssw0rd!", { minLength: 10, // Custom minimum length (default: 15) maxLength: 500000, // Custom maximum length (default: 100K) hibpCheck: false, // Disable HIBP check if using local hash database blocklist: ["password"], // Custom blocklist matchingSensitivity: 0.2, // Custom matching sensitivity (default: 0.25) trimWhitespace: true, // Handle leading/trailing whitespace (default: true) errorLimit: 3, // Amount of errors to check before stopping (defult: infinty) }); if (!result.isValid) { console.log("Password validation failed:", result.errors); } else { console.log("Password is valid!"); } } checkCustomPassword(); ``` --- ### **Error Limit Feature** The `errorLimit` option allows users to control how many errors are returned during validation. This helps balance: - **Performance**: Avoid unnecessary checks after reaching the limit. - **Feedback**: Provide detailed insights without overwhelming users. #### **Example Usage** ```typescript const result = await validatePassword("mypassword", { errorLimit: 2, // Report up to 2 errors }); console.log(result.errors); // Returns a maximum of 2 errors ``` - **Default**: Unlimited errors (`errorLimit` defaults to `Infinity`). - **Customizable**: Adjust based on user needs or environment constraints. --- ### **Validators** #### **1. Length Validation** Ensures the password meets specified length requirements based on Unicode code points. ```typescript import { lengthValidator } from "nist-password-validator"; const result = lengthValidator("mypassword", 8, 64); console.log(result.errors); ``` #### **2. Blocklist Validation** Prevents passwords that resemble blocked terms using fuzzy matching. ```typescript import { blocklistValidator } from "nist-password-validator"; const result = blocklistValidator("myp@ssword", ["password"], { matchingSensitivity: 0.25, }); console.log(result.errors); ``` #### **3. HIBP Validation** Checks passwords against the **Have I Been Pwned** breach database. ```typescript import { hibpValidator } from "nist-password-validator"; hibpValidator("mypassword123").then((result) => console.log(result.errors)); ``` --- ### **Whitespace Handling** Handles leading/trailing whitespace in passwords for NIST compliance. Enabled by default. ```typescript // Default: Trims whitespace const result1 = await validatePassword(" mypassword "); // Disable trimming const result2 = await validatePassword(" mypassword ", { trimWhitespace: false, }); ``` --- ### **Security Considerations** - Normalize passwords to UTF-8 before hashing. - Use local hash databases for HIBP checks in high-security environments. - Customize blocklists with sensitive or organization-specific terms. - Implement rate limiting for external API calls. --- ### **Contributing** We welcome contributions! Fork the repo, create a branch, and submit a pull request. --- ### **License** This library is released under the [MIT License](LICENSE).