# How To Correctly Validate Passwords – Most Websites Do It Wrong

You’ve probably visited a site and attempted to sign-up only to be met with errors such as:

• Password needs a capital letter
• Password needs a special character
• Password needs to be at least 8 characters

I just released a package in Go that solves this problem. Check it out and give it a star here: go-password-validator. If you want to understand how it works, and how to properly validate user passwords, read on.

Not only are the rules above quite annoying, but they can also be a security flaw in the system. Take for example a strong passphrase: `super worm eaten human trike`. That passphrase has plenty of entropy (randomness) but it wouldn’t pass the first two validation steps given above. XKCD puts this best:

Learn the Go the right way

Go is the language of cloud-native technologies. If you’re interested in modern web systems then our Go Mastery track of courses and projects will give you all the skills you need to have a successful switch.

## The Problem – Allow Users to Use Any Password Format as Long as It Has Enough Entropy

We don’t care if a password only has lowercase letters if it’s long. All that matters is the entropy. Entropy in this context refers to the number of brute-force guesses it would take to guess a password, and we measure it in bits (the exponent in `2^n`). Refer to the following chart to see how various entropy levels contribute to the time it takes to brute force a password.

## How To Determine Entropy Given a Password

The way go-password-validator works is my favorite (obviously, I wrote it), but there is certainly room for improvement. Let’s take a look at the process. From its Readme:

First, we determine the “base” number. The base is a sum of the different “character sets” found in the password.

The current character sets include:

• 26 lowercase letters
• 26 uppercase
• 10 digits
• 32 special characters – `!"#\$%&'()*+,-./:;<=>[email protected][\]^_{|}~`

Using at least one character from each set your base number will be `94: 26+26+10+32 = 94`

Every unique character that doesn’t match one of those sets will add `1` to the base.

If you only use, for example, lowercase letters and numbers, your base will be `36: 26+10 = 36`.

After we have calculated a base, the total number of brute-force-guesses is found using the following formulae: `base^length`

A password using base 26 with 7 characters would require `26^7`, or `8031810176` guesses.

Once we know the number of guesses it would take, we can calculate the actual entropy in bits using `log2(guesses)`

## Trying to find your next programming job?

If you are a self-taught developer having trouble finding your first programming job, we've got your back! We have the learning resources and tight-knit dev community that you need to land the coding job you've been looking for. To get started, create a free account and join our Discord community.

## Have questions or feedback?

If we've made a mistake in the article, please let us know so we can get it corrected!