Password Strength

Common errors

• ModuleNotFoundError: No module named 'password_strength'

  cause The library is not installed or the Python environment is incorrect.
  fix Ensure the library is installed in your current environment using `pip install password-strength`. If using virtual environments, activate the correct one before running your script.

• TypeError: 'PasswordPolicy' object is not callable

  cause Attempting to call a `PasswordPolicy` object like a function instead of using its `test()` method.
  fix Access validation methods on the `PasswordPolicy` object. For example, use `policy.test(password)` instead of `policy(password)`.

• AttributeError: 'PasswordStats' object has no attribute 'test'

  cause Confusing `PasswordStats` (for analysis) with `PasswordPolicy` (for validation). `PasswordStats` provides statistical properties, not policy testing.
  fix Use `PasswordPolicy` for testing against defined rules (`policy.test(password)`). Use `PasswordStats` to get raw metrics like entropy or complexity (`PasswordStats(password).strength`).

Warnings

• gotcha The default entropy calculation might be less intuitive for users than a complexity score or explicit policy checks. While `entropy_bits` is a fundamental measure, `complexity` (0.00-0.99) or `strength` (0.00-1.00) are often more digestible for direct user feedback.
  Fix: Prefer using `policy.test()` to get a list of failed rules or `PasswordStats().complexity` / `PasswordStats().strength` for a more user-friendly score, especially when providing feedback to end-users.
• gotcha A password might pass basic length and character type rules but still contain easily guessable repetitions (e.g., 'aaaaaa', '123123'). The library's `Policy` object doesn't inherently check for overly repetitive patterns beyond what the entropy calculation might implicitly catch.
  Fix: For enhanced security, consider adding custom checks for known weak patterns, dictionary words, or sequential characters, potentially by extending the `PasswordPolicy` or implementing separate validation functions. The library offers the flexibility to define custom validation rules or combine with other techniques.
• deprecated Direct manipulation or reliance on `weak_bits`, `medium_bits`, `strong_bits` constants might be less recommended than using the `Policy` object's named rules, as policies provide a clearer, more configurable approach to defining acceptable passwords.
  Fix: Define password requirements using `PasswordPolicy.from_names()` or by directly instantiating `PasswordPolicy` with desired rules, which is generally more readable and maintainable.

Install

• pip install password-strength Install stable version

Imports

• PasswordPolicy

  from password_strength import PasswordPolicy

• PasswordStats

  from password_strength import PasswordStats

Quickstart

This quickstart demonstrates how to define a password policy using `PasswordPolicy.from_names` and test a password against it. It also shows how to get detailed strength statistics, including entropy, complexity, and a normalized strength score using `PasswordStats`.

from password_strength import PasswordPolicy, PasswordStats

# Define a password policy
policy = PasswordPolicy.from_names(
    length=8,
    uppercase=1,
    numbers=1,
    special=1,
    nonletters=1
)

# Test a password against the policy
password = "StrongP@ssw0rd!"
errors = policy.test(password)

if not errors:
    print(f"Password '{password}' meets the policy requirements.")
else:
    print(f"Password '{password}' failed the following checks: {', '.join(errors)}")

# Get detailed strength statistics
stats = PasswordStats(password)
print(f"\nPassword entropy (bits): {stats.entropy_bits:.2f}")
print(f"Password complexity (0.00-0.99): {stats.complexity:.2f}")
print(f"Password strength (0.00-1.00): {stats.strength:.2f}")