Google Password Strength API

• Download demo 1 - 13.4 KB
• Download source - 11.0 KB
• Download demo 2 - 34.0 KB

Introduction

Do you have an iGoogle Account? Well, if you are like the rest of the world that use the Internet, you will have, which also means that you have seen the very cool (and useful) "Password strength" control.

This control has a very intelligent API to determine if the password you entered is any good. It is "intelligent" in the fact that it does not just check that you have a password that is larger than six characters; e.g., a password "aaaaaaaaaaaa" will come out as "Weak", "my password" as "Good", and "grty3657DF?£hr4" as (yes you guessed it!) "Strong".

The big secret is this is actually a public API from Google, to which you can pass a password and it will return the password strength from 1 (least secure) to 4 (most secure). You can view it here.

And here is the "but", there is no interface for the control and it is not openly advertised by Google.

Background

When I found a use for such a control on a website I'm currently building, I first looked at the Microsoft AJAX Toolkit. At first, this worked great; however, I felt that the algorithm used was not as strong as the Google one, and I kept on getting JavaScript errors due to that control.

Bring on this control.

Using the code

The easiest way is to add a reference to the GooglePasswordStrength.dll, then add a section into the web.config:

<pages> 
    <controls> 
        <add tagPrefix="google" namespace="GooglePasswordStrength" 
             assembly="GooglePasswordStrength"/> 
    </controls> 
</pages>

Then, add the control to your page, and attach it to an asp:TextBox.

<table> 
    <tr> 
        <td><asp:TextBox ID="txtPassword" runat="server" /></td>
        <td><google:PasswordStrength ID="PS" 
                TargetControlID="txtPassword" 
                CssClass="password" runat="server" /></td>
    </tr> 
</table>

Points of interest

The control utilises AJAX, but does not require any third party AJAX library. However, if your application uses the Microsoft AJAX Library, the control invokes a Client Script Proxy that was written by Rick Strahl to handle all the client scripts.

Known issues

The XMLHttpRequest makes a call to the Google Password Strength API directly, so some browser settings may cause a "Permission Denied" error. This is because the XMLHttpRequest is making a call to a page outside of the local domain. In Microsoft Internet Explorer, you can change this setting under the Security Custom Level settings. Look for "Miscellaneous -> Access data sources across domains".

For a more robust, permanent solution, you will need to change the call to a page on the same domain and make a WebRequest to the Google API from there.

Update

1. In the GooglePasswordStrength.Web Project, create a new WebForm called GetPassword.aspx.
2. In GetPassword.aspx, delete all the lines except the @Page directive line.
3. Open GetPassword.aspx.cs.
4. In the Page_Load method, add the following code:

string passwd = Request.QueryString["Passwd"];

string GUrl = string.Format("https://www.google.com/" + 
              "accounts/RatePassword?Passwd={0}", passwd);

WebRequest webRequest = WebRequest.Create(GUrl);
WebResponse webResponse = webRequest.GetResponse();
StreamReader reader = new StreamReader(webResponse.GetResponseStream());

Response.Clear();
Response.Output.Write(reader.ReadToEnd());
Response.End();

5. Open PasswordStrength.js.
6. On line 76, there is the xmlHttpObj.open method. Replace "https://www.google.com/accounts/RatePassword?Passwd=" with "GetPassword.aspx?Passwd=".
7. Also, in the PasswordStrength.js file, replace all instances of "innerText" with "innerHTML" (I later found out that innerText is IE only).

Now, the XmlHttpRequestObject will make a call to a file on the same domain, and you will no longer get the security error.

History

• November 2007 - Added a second demo, which uses the updated code above.