Upgrade to maintained version of zxcvbn

covert-encryption / covert-web

A prototype implementation of Covert running entirely in browser

0 stars 0 forks source link

Upgrade to maintained version of zxcvbn #2

Closed covert-encryption closed 2 years ago

covert-encryption commented 2 years ago

Should use an actively maintained fork because Dropbox abandoned their open source development five years ago.

This one seems best: https://github.com/zxcvbn-ts/zxcvbn

sh-dv commented 2 years ago

Done. However, this package has different cracking time estimation. :

{
    onlineThrottling100PerHour,
    onlineNoThrottling10PerSecond,
    offlineSlowHashing1e4PerSecond,
    offlineFastHashing1e10PerSecond
}

I chose to use the last one.

example when estimating the crack time for "quitelegitlongpwd" :


{
    onlineThrottling100PerHour: 'centuries',
    onlineNoThrottling10PerSecond: 'centuries',
    offlineSlowHashing1e4PerSecond: '14 years',
    offlineFastHashing1e10PerSecond: '8 minutes'
}

sh-dv commented 2 years ago

zxcvbn-ts shows lesser crack time estimation when using the built in zxcvbn(pwd).crackTimesDisplay.offlineFastHashing1e10PerSecond compared to the TimeEstimates.displayTime((.7/100 * guesses)*costfactor(encode(pwd))

That's why i switched to default estimation.

covert-encryption commented 2 years ago

Covert does custom calculation because we use stronger password hashing than anyone else, in particular for the short passwords (that the costfactor adjusts for). Are you saying that zxcvbn-ts does not offer the number or guesses (needed for that calculation) or that it has no pretty output formatting function like TimeEstimates.displaytime?

Of the built-in options, onlineNoThrottling10PerSecond would be closest to reality and can be used at least until the proper calculation can be implemented.

sh-dv commented 2 years ago

solved