Comments (5)
MrWook
commented on June 12, 2024
Hey, thanks for the suggestion.
I like the idea, the problem is that this would be a combination from the dictionary matcher and the sequence matcher.
Basically you need a dictionary for every language that has those sequences. For example like this:
{
"numbers": [
"one",
"two",
"three"
...
],
"seasons": [
"spring",
"summer",
"autumn",
"winter"
]
...
}
This would mean you need to use the dictionary matcher to identify all those different words and then you need to use some kind of sequence matcher to go through all those matches to check if they are in a row.
I like the general idea of this but i don't see the solution right now. If you have an idea feel free to open a PR or create your own package, since 1.0.0-beta-0 custom matchers are possible but i think it would be easier to add it to the repo to reuse the dictionary and add a custom DictionarySequence matcher.
from zxcvbn.
softwarecreations
commented on June 12, 2024
Youre welcome. This is what immediately comes to mind. I haven't given it any deep thought so there may be dragons.
One idea that comes to mind, is if these words exist in an order less dictionary, they can be moved out into an array of sequence arrays. (As your example)
(Then we aren't loading duplicate words into the browser and keeping the bundle small)
Then the regular word matcher can be tweaked to look for words in the seuqnece arrays just like it looks for words on the order less array currently.
Then once thats done... Its a simple matter of writing an algorithm to look for words in the sequence arrays within the password. If a match is found, check the following word or previous word, if that matches check the next word (while loop) then remove that string from the password and mark it as score 1 or zero or whatever. Then repeat the process with whatever's left of the password.
It seems relatively trivial to add this functionality but of course time is precious and would take a little bit of time. Currently I have no free time. Just contributing the idea at this point.
No pressure.
Thanks for the library :)
…On 22 July 2021 3:19:11 PM SAST, MrWook ***@***.***> wrote:
Hey, thanks for the suggestion.
I like the idea, the problem is that this would be a combination from
the dictionary matcher and the sequence matcher.
Basically you need a dictionary for every language that has those
sequences. For example like this:
```
{
"numbers": [
"one",
"two",
"three"
...
],
"seasons": [
"spring",
"summer",
"autumn",
"winter"
]
...
}
```
This would mean you need to use the dictionary matcher to identify all
those different words and then you need to use some kind of sequence
matcher to go through all those matches to check if they are in a row.
I like the general idea of this but i don't see the solution right now.
If you have an idea feel free to open a PR or create your own package,
since `1.0.0-beta-1` custom matchers are possible but i think it would
be easier to add it to the repo to reuse the dictionary and add a
custom DictionarySequence matcher.
--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#63 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
from zxcvbn.
modest
commented on June 12, 2024
I had a similar, broader idea:
Since Dropbox kicked off this project, there have been some public leaks of unhashed password lists that should be game-changing data sources for a project like this. Instead of assuming that passwords use common words in the same frequency as written text ("you, to, it, that, ..."), we can rank them based on their actual usage in passwords.
Based on actual leaked password lists, we can improve entropy scoring based on (1) the popularity of the password structure (set of patterns; e.g. (word)(number)(symbol) > (symbol)(word)(symbol)) and (2) the rank/weight of each particular pattern within those sets (e.g. onetwothreefour > correcthorsebatterystaple). That first exercise – determining the entropy of the password structure itself – was waived by the original project due to lack of data.
Of course, this exercise is the same as improving the efficiency of a password cracker. But that was essentially the point of zxcvbn to begin with – to help password strength meters "catch up" to password cracking libraries.
(I understand that this fork is focused on cleanup, tech debt, and other higher priority things :) Hopefully it is flattering and not annoying that the suggestions are coming here now.)
from zxcvbn.
MrWook
commented on June 12, 2024
@modest this fork isn't just a clean up. I wanted to revive the project and the idea behind it because i think those password policies are plain up stupid.
I would love to see more matchers and contribution. Which means your idea could be a extendet version of the password dictionary as a separated matcher with a new password list.
Feel free to open an own issue for your idea and if you have the time you can even make a PR :)
from zxcvbn.
Tostino
commented on June 12, 2024
@modest and @MrWook, I did a little bit of thinking on this today, and I agree keeping those as separate matchers (or at least different match passes) seems like the right way to go.
As said, using leaked password dictionaries and ranking by frequency is one attack vector that should have a set of scores associated with it (what we do today), and word matching by frequency is a totally different attack vector that needs to be scored an entirely different way to work properly.
I'd be interested in implementing this in Nbvcxz as well if there seems to be a consensus in how the algorithm should work, and appropriate scoring values.
from zxcvbn.
Related Issues (20)
- Guesses value is higher than it should be when the l33t matcher uses a replacement of multiple symbols to one HOT 1
- L33t scoring is incorrect for multisymbol substitutions HOT 2
- Regex matcher returns only first match HOT 1
- For randomly generated inputs, the value of guessesLog10 is incorrectly equal to the length of the string. HOT 2
- Make time estimate and scoring thresholds configurable HOT 2
- Separator scoring isn't used
- One of the directions gets less turns and guesses in spatial matcher HOT 1
- Consider adding base to output HOT 1
- @zxcvbn-ts/matcher-pwned crypto error HOT 6
- Typing issue HOT 2
- Performance drop because of the new l33t matcher
- Small error in documentation
- Language sources not working anymore
- Not recognizing dictionary words when multiple dictionaries are used HOT 1
- repeat matcher is causing repeat characters to be tested in other matchers HOT 2
- [FR]: Ability to configure the execution order of the matchers HOT 2
- User input doesn't affect the scoring HOT 4
- Proposal: Reduce the dictionary size footprint HOT 2
- "Matcher pwned already exists" warning message issue HOT 1
- Incorrect score for the string "password" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zxcvbn.