About the zxcvbndata folder under the EBWebView directory

[duwenlong2]

I used Webview2 in WPF, and initialized the webview2 control with reference to the document; Found in security scan EBWebView\ZxcvbnData\3.0.0.0 There is a passwords.txt under the folder, but no description file was found. Now I need to explain what this file is. I checked the document and the problem on github, but there is no description about this.

https://learn.microsoft.com/zh-cn/microsoft-edge/webview2/concepts/user-data-folder?tabs=dotnet

Then I retrieved the combination of zxcvbn+password. Discovery is a password strength detection. However, an official explanation needs to be found when explaining to the safety review team;

Do you have any documents or materials in this regard?

[novac42]

@duwenlong2 Thanks for the report. We will take a look into this and get back to you asap.

[plantree]

Hi @duwenlong2,

You can refer to this article Why is there a passwords.txt file on my system that’s filled with somebody else’s passwords? from Microsoft devblog, which refers to this passwords.txt file.

So don’t panic about the passwords.txt file. It’s there to protect you from bad passwords.

This passwords.txt file is put under \ZxcvbnData. As you said, zxcvbn is an open source Low-Budget Password Strength Estimation, and this data is public and anonymous, and it's used to estimate the quality of passwords, not to record users' behaviors, so it should not involve security issues. By the way, the similar file could be found under Edge's user data directory.

Hope to solve your problems.

[duwenlong2]

Thank you for your reply

---

发件人: plantree @.> 发送时间: 2023年2月10日 3:17 收件人: MicrosoftEdge/WebView2Feedback @.> 抄送: duwenlong @.>; Mention @.> 主题: Re: [MicrosoftEdge/WebView2Feedback] About the zxcvbndata folder under the EBWebView directory (Issue #3204)

Hi @duwenlong2https://github.com/duwenlong2,

There is a blog called Why is there a passwords.txt file on my system that’s filled with somebody else’s passwords?https://devblogs.microsoft.com/oldnewthing/20221018-00/?p=107298 refer to this passwords.txt file.

So don’t panic about the passwords.txt file. It’s there to protect you from bad passwords.

This passwords.txt file is put under \ZxcvbnData. As you said, zxcvbnhttps://github.com/dropbox/zxcvbn is an open source Low-Budget Password Strength Estimation, and this datahttps://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt is public and anonymous, and it's used to estimate the quality of passwords, not to record users' behaviors, so it should not involve security issues. By the way, the similar file could be found under Edge's user data directory.

Hope to solve your problems.

― Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftEdge/WebView2Feedback/issues/3204#issuecomment-1425120035, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AP7E3WEPGZ74BLGUATHPRX3WWWXOPANCNFSM6AAAAAAUWA7AI4. You are receiving this because you were mentioned.Message ID: @.***>

[novac42]

@duwenlong2 You are welcome. Would you like to mark this issue as closed?