Friday, December 9th, 2005

Google Password Strength Feedback

Category: Component

We often talk about one of the un-sexy core advantages of Ajax is the ability to do validation where you want it (right where the user is working) but validated securely on the server-side.

As we do this, we can offer interesting feedback to the user as they enter in the form data.

When you create an account at Google, they let you know how strong the password is as you type it. From too short, to weak, to fair, to strong.


Posted by Dion Almaer at 9:14 am

3.5 rating from 87 votes


Comments feed

It’s interesting that they appear to be submitting the password “as-you-type” via xmlhttp, across the wire (securely?) for checking.

I’d imagine you could do the same client-side with weighted tests – eg. all same characters (bad), mix of lower/upper/alpha (good), sequential (bad) etc. I’ve seen other implementations do this fairly well.

Interestingly, “abcdef” returns “weak”, but “aabcde” is “strong” ;) (maybe that’s accurate? – I can’t say.)

Comment by Scott Schiller — December 9, 2005

Scott: I’d imagine easy to remember combos like “abcdef” and “asdf” are bad as they would probably be in most dictionary hacks – versus the example you gave which is more random.

Comment by Rob Sanheim — December 9, 2005

The validation (password strength indicator) is not taking place on the server side. You can verify this by placing a proxy and monitoring the traffic as you enter a password.

Here’s an example of the same thing along with the javascript source code.


Comment by Sanjiv Jivan — December 9, 2005

hi there,

it looks cool but I’m not sure if the testing is any where vigorous.

It checks the english dictionary but not the various words that I can google for. For eg, it considered a password that I got hundreds of matches as strong!

Comment by Anjan Bacchu — December 9, 2005

It looks like it is checking server side. The xmlhttp is call when the user inputs enough data.

Comment by Jake — December 9, 2005

You’re right, it does make an XHR call if the password strength exceeds 6. I was monitoring the traffic using Fiddler and surprisingly this XHR request does not show up there. I can see gmail mail notification XHR requests in Fiddler. I had to set a JS breakpoint in IE to jump to the JS source and step through it. The interesting this is that this JS code is uncompressed and in readable form and seems to come from a different google team. They’re using the low level XHR code and not any fancy ajax wrapper libraries.

Comment by Sanjiv Jivan — December 9, 2005

i like to see many things in filter sites

Comment by Pooya — December 10, 2005

MSN has actually had something like that for a while now, however the javascript just checks whether or not you have numbers, letters and capital letters in your password. Really cool.

Comment by Casey — December 11, 2005

[…] Google Password Strength Feedback […]

Pingback by Ajaxian » Audible Ajax Episode 11: State of Ajax in Belgium — January 18, 2006

Can anyone do this in flash? It would be really cool if someone could do this in flash and will be a lot simple for everyone to learn it.

Comment by Satyam — May 31, 2006

I wonder if there is an api for this feature. It would be very useful for other web 2.0 services.

Comment by Paul Jensen — July 28, 2006

very cool. thanks for the link to Gerd’s site. exactly what I needed.

Comment by e — January 8, 2007

Google uses a method that talks to the server upon Javascript onChange event.

It is not a safe way to interact, but it’s fun enough!

I can share the code I’ve coded if you want to do it.
It’s very easy to install.

Comment by Simos — January 25, 2007

Use only passwords that hard to be guessed but make sure you have an installed virus protection against keyboard loggers.

Comment by Shopautodotca Seocontest — June 8, 2007

I have created an ASP.NET interface for the Google Password API.
Please vote for my artical if you like the control.

Comment by Roger Chapman — June 18, 2007

very intresting one, i’ll implement one of these into my site too

Comment by meeero — July 20, 2007

I found a very simple example like the one at google, it does not use dictionary but is enough for me

Comment by James — November 2, 2007

Leave a comment

You must be logged in to post a comment.