Home/ Questions/Q 9192885
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T21:02:20+00:00

Looking for suggestions on a password strength checker for objective-c. I did some googling

  • 0

Looking for suggestions on a password strength checker for objective-c. I did some googling and didn’t find any hits, neither here on SO. I could write one up but thought I’d check here first – has anyone implemented one?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am only aware of two half-decent password strength estimators: zxcvbn (in CoffeeScript, compiles to JavaScript) and Passfault (in Java, appears to be intended as a webapp).

    (Actually, that’s is a slight lie; there was one in a PhD thesis I read a while back, but I’m not sure where I put the link.)

    Every other password “strength” checker I’ve looked at in any detail has been flawed, often deeply flawed (e.g. GRC’s “haystacks” assumes a very dumb bruteforce; even open-source password crackers are much more sophisticated) — the other day, the password strength meter of a large UK loyalty card scheme told me that “1Aa” was a “GOOD” password (“GOOD” is the highest rating).

    (The other problem is that the password strength required depends on how it’s being used: a 48-bit password like “W1mCj6B1” is fine for a Google account but incredibly weak as a Windows/Mac login password or a WPA passphrase.)

    I don’t think you’re likely to find a decent one in Objective-C, given their rarity. If you do end up writing one, I have a few suggestions:

    • Write it in C (or maybe C++). This won’t cost you much and will be far more portable; Objective-C pretty much ties you to OS X and iOS in the same way that .NET ties you to Windows (i.e. in theory you can port the runtime to other platforms; in practice it will be much less used outside of those platforms). To increase usage, you could add an Objective-C API.
    • Decide what to do about non-ASCII characters (and non-English languages in general). There are essentially two options:
      • Disallow them (people are used to it, right?)
      • Map to ASCII for strength estimation, e.g. by stripping accents (see NSWidthInsensitiveSearch and NSDiacriticInsensitiveSearch) and jumping through some hoops to map ı/İ/ß to i/I/ss. There’s also kCFStringTransformToLatin which promises to transliterate most scripts to the Latin alphabet. This bit doesn’t need to be in C because it’ll heavily depend on Unicode libraries, although you may be able to use ICU.

    Finally, password strength estimation is a hard problem. Guess the strength of
    2jmj7l5rSw0yVb_vlWAYkK_YBwk. Now ask Google.

    • 0