Quality of score / suggestions / warnings about zxcvbn HOT 2 CLOSED

Hey thanks for the comment!

i see why you think that a pwned password with only one more character is weird to jump from 0 to a 4 but the problem is you can't use the levenstein distance with the Have I Been Pwned api because the passwords are encrypted and you only check against this encryption and not the real password.

I get why you think those passwords seem to be "weak" but a password isn't strong just because they have a special character, a number, an uppercase letter etc. For example P4$$w0rd has everything it needs but its worthless
This library takes some attack pattern from hackers and formed it into a scoring.

One could change the scoring to 1-10 instead of 0-4 but it wouldn't change the outcome because johnwick2030 would still have the same guess count which is the base of the scoring.
From the code:

    const DELTA = 5
    if (guesses < 1e3 + DELTA) {
      // risky password: "too guessable"
      return 0
    }
    if (guesses < 1e6 + DELTA) {
      // modest protection from throttled online attacks: "very guessable"
      return 1
    }
    if (guesses < 1e8 + DELTA) {
      // modest protection from unthrottled online attacks: "somewhat guessable"
      return 2
    }
    if (guesses < 1e10 + DELTA) {
      // modest protection from offline attacks: "safely unguessable"
      // assuming a salted, slow hash function like bcrypt, scrypt, PBKDF2, argon, etc
      return 3
    }
    // strong protection from offline attacks under same scenario: "very unguessable"
    return 4

This means if we would change the scoring we would add more if statements between and at the beginning. Of course one could say that the hardware is getting better and better which means 1e10 isn't nearly as good as 2012 when the code was written but that is something else.
Every password can be cracked over time so the only scoreable value is the guess count. Just because a human can remember the password doesn't mean its a bad one. For example if you use a whole sentence its a good password too.
Feel free to checkout the talk from Daniel Lowe Wheeler the original author of zxcvbn https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler it has a good explanation about this topic.

So i think the scoring change wouldn't change a thing so thats a no on my site.
Adding matchers for "passwords based on their length, used special characters, numbers etc" it's a no from my site too because that is a very old paradigm that doesn't really fit in our time as you can see in the presentation.
BUT that just means that i won't add them to the core library. Feel free to create you own custom matcher and score it as you seem to be right.
We already had a discussion for it in here #15
So i added custom matcher. In the documentation is an example for a minLength matcher https://zxcvbn-ts.github.io/zxcvbn/guide/matcher/#custom

from zxcvbn.

I will close this issue for now because of inactivity. If there are other question please open a discussion

from zxcvbn.