search

dropbox / python-zxcvbn

A realistic password strength estimator.
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
MIT License
254 stars 53 forks source link

Very different results from javascript. #14

Open choppsv1 opened 9 years ago

choppsv1 commented 9 years ago

The python code produces very different (and worrisome) results when compared to the javascript version. I use the python code in my change app to verify the password passes muster prior to changing it, so if anything I'd want it to be more strict that the client side JS version.

Password: FooBar2016 JS: score: 0, entropy: 18.541 Python: score: 2, entropy: 30.089

Password: ZagDag2016 JS: score: 2, entropy: 32.783 Python: score: 4, entropy: 44.264

If I had to choose I'd pick the JS version, the python one looks way too lenient.

(full result for FooBar2016 below. JS: Calling zxcvbn { password: 'FooBar2016', entropy: 18.541, match_sequence: [ { pattern: 'dictionary', i: 0, j: 5, token: 'FooBar', matched_word: 'foobar', rank: 908, dictionary_name: 'passwords', reversed: false, base_entropy: 9.826548487290916, uppercase_entropy: 4.392317422778761, reversed_entropy: 0, l33t_entropy: 0, entropy: 14.218865910069677 }, { pattern: 'regex', token: '2016', i: 6, j: 9, regex_name: 'recent_year', regex_match: [Object], entropy: 4.321928094887363 } ], crack_time: 19.068, crack_time_display: '19.068000000000023 seconds', score: 0, calc_time: 8 }

Python:

python -c 'import zxcvbn; print zxcvbn.password_strength("FooBar2016")' {'crack_time_display': '17.0 hours', 'crack_time': 57103.66, 'score': 2, 'entropy': 30.089, 'password': 'FooBar2016', 'calc_time': 0.0005788803100585938, 'match_sequence': [{'l33t_entropy': 0, 'dictionary_name': 'passwords', 'matched_word': 'foobar', 'bas e_entropy': 9.826548487290916, 'i': 0, 'pattern': 'dictionary', 'j': 5, 'rank': 908, 'token': 'FooBar', 'entropy': 14.285980105928214, 'uppercase_entropy': 4.459431618637297}, {'i': 6, 'pattern': 'spatial', 'j': 8, 'shifted_count': 0, 'token': '201', 'ent ropy': 9.848831558033764, 'graph': 'keypad', 'turns': 2}, {'i': 9, 'pattern': 'bruteforce', 'j': 9, 'token': '6', 'entropy': 5.954196310386876, 'cardinality': 62}]}

FirefighterBlu3 commented 8 years ago

it's not a perfect port of JS -> Python apparently, different match sequences are being executed. the JS original comes executes the dictionary and regex patterns. the python port executes the dictionary, spatial, and bruteforce patterns.

FirefighterBlu3 commented 8 years ago

in any case, it looks like this project has been abandoned by the original owners as there hasn't been any activity in quite a while. if we want it fixed, we'll have to do it ourselves.