Password strength checking library [closed]

Question

Can anyone recommend a Java library that contains methods that are suitable for performing server-side password strength checking in a webapp. Ideally the checker should be:

• configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on
• extensible allowing new criteria to be implemented if required
• implemented in pure Java
• not fundamentally intertwined with a tag libraries, UI components or "password management" functionality
• compatible with a GPL 3 project
• compatible with Spring wiring
• mavenized (ideally available through Maven Central)

Answer 1

Have a look at vt-password:

• configurable, allowing the deployer to supply different dictionaries, adjust weights of different criteria, and so on - Partially (yes to configurable, dictionaries, no to weighted criteria)
• extensible allowing new criteria to be implemented if required - Yes
• implemented in pure Java - Yes (and decent javadoc)
• not fundamentally intertwined with a tag libraries, UI components or "password management" functionality - Yes
• compatible with a GPL 3 project - Yes (LGPLv3/APLv2 dual-licensed as of November 2013)
• compatible with Spring wiring - Looks like
• mavenized (ideally available through Maven Central) - Yes (in central since version 3.0)

---

Update by @Stephen C.

The guys who do vt-password have made a number of API improvements since the question was originally answered, and one of the outcomes is that the classes are much easier to configure using Spring IoC. They have also uploaded it to Maven Central: http://mvnrepository.com/artifact/edu.vt.middleware/vt-password

---

Update 2020: vt-password has been replaced, sort of, by Passay

Answer 2

This is a followup answer to say that I did use vt-password, and I'm happy with the results.

I started out with vt-password version 2.0 and hacked it around a bit to get it to work with Spring wiring, and address the thread safety issues I alluded to in my comments on @Pascal's answer. That was enough to get on with.

A few weeks back, the vt-middleware team released vt-password 3.0, based (in small part) on my feedback concerning 2.0. This new release addressed all of the issues I had hacked around, and I have now ditched my local mods and am using vt-password 3.0 as is. They have also uploaded their stuff to Maven Central, and improved the online documentation.