Comments (2)
Hey thanks for the comment!
i see why you think that a pwned password with only one more character is weird to jump from 0 to a 4 but the problem is you can't use the levenstein distance with the Have I Been Pwned api because the passwords are encrypted and you only check against this encryption and not the real password.
I get why you think those passwords seem to be "weak" but a password isn't strong just because they have a special character, a number, an uppercase letter etc. For example P4$$w0rd has everything it needs but its worthless
This library takes some attack pattern from hackers and formed it into a scoring.
One could change the scoring to 1-10 instead of 0-4 but it wouldn't change the outcome because johnwick2030
would still have the same guess count which is the base of the scoring.
From the code:
const DELTA = 5
if (guesses < 1e3 + DELTA) {
// risky password: "too guessable"
return 0
}
if (guesses < 1e6 + DELTA) {
// modest protection from throttled online attacks: "very guessable"
return 1
}
if (guesses < 1e8 + DELTA) {
// modest protection from unthrottled online attacks: "somewhat guessable"
return 2
}
if (guesses < 1e10 + DELTA) {
// modest protection from offline attacks: "safely unguessable"
// assuming a salted, slow hash function like bcrypt, scrypt, PBKDF2, argon, etc
return 3
}
// strong protection from offline attacks under same scenario: "very unguessable"
return 4
This means if we would change the scoring we would add more if statements between and at the beginning. Of course one could say that the hardware is getting better and better which means 1e10 isn't nearly as good as 2012 when the code was written but that is something else.
Every password can be cracked over time so the only scoreable value is the guess count. Just because a human can remember the password doesn't mean its a bad one. For example if you use a whole sentence its a good password too.
Feel free to checkout the talk from Daniel Lowe Wheeler the original author of zxcvbn https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler it has a good explanation about this topic.
So i think the scoring change wouldn't change a thing so thats a no on my site.
Adding matchers for "passwords based on their length, used special characters, numbers etc" it's a no from my site too because that is a very old paradigm that doesn't really fit in our time as you can see in the presentation.
BUT that just means that i won't add them to the core library. Feel free to create you own custom matcher and score it as you seem to be right.
We already had a discussion for it in here #15
So i added custom matcher. In the documentation is an example for a minLength matcher https://zxcvbn-ts.github.io/zxcvbn/guide/matcher/#custom
from zxcvbn.
I will close this issue for now because of inactivity. If there are other question please open a discussion
from zxcvbn.
Related Issues (20)
- A UUID is categorised as a weak password HOT 1
- Tree shaking doesn't seem to work properly HOT 7
- [3.0.0 regression] error TS7016: Could not find a declaration file for module './adjacencyGraphs.json' HOT 1
- MatchSeparator.getSeparatorRegex uses unsupported negative lookbehind in safari HOT 1
- One to many l33t substitutions aren't supported HOT 2
- Guesses value is higher than it should be when the l33t matcher uses a replacement of multiple symbols to one HOT 1
- L33t scoring is incorrect for multisymbol substitutions HOT 2
- Regex matcher returns only first match HOT 1
- For randomly generated inputs, the value of guessesLog10 is incorrectly equal to the length of the string. HOT 2
- Make time estimate and scoring thresholds configurable HOT 2
- Separator scoring isn't used
- One of the directions gets less turns and guesses in spatial matcher HOT 1
- Consider adding base to output HOT 1
- @zxcvbn-ts/matcher-pwned crypto error HOT 6
- Typing issue HOT 2
- Performance drop because of the new l33t matcher
- Small error in documentation
- Language sources not working anymore
- Not recognizing dictionary words when multiple dictionaries are used HOT 1
- repeat matcher is causing repeat characters to be tested in other matchers HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zxcvbn.