Different score for the password strength for the same string between TypeScript and Java versions

[him11]

Hi.

I'm using zxcvbn libraries on back-end and front-end of an app. For front-end: https://github.com/zxcvbn-ts/zxcvbn For back-end: https://github.com/nulab/zxcvbn4j

The password strength score returned for the same password string, "Tiger@0177" is different for both the libraries. For TS version, it returns 3 (Strong) while for Java version, it returns 2 (Weak), which is giving a very bad UX for my users.

Can you suggest something why is this happening and is there a way to fix this issue? TIA.

[Emi75]

Any support on this issue pls?

[Emi75]

@him11 possible duplicate of https://github.com/nulab/zxcvbn4j/issues/84

[MrWook]

Hey, the typescript library is a fork of this JS one and is not "official". I forked it because this library is completely outdated. Which means the typescript port is an improved version with updated dictionaries, some fixes and new matchers. You used the password Tiger@0177 which results in a scoring of 3 for the typescript port. In the original library this it has a scoring of 2 like in the java port that you are using. That is because of the updated dictionaries. The password was splitted into Tiger and @0177. In the Typescript port Tiger is ranked 256 in the password dictionary while in the original library it is ranked 210 which results in a different guess count. You could say that the cap isn't very big to move a whole score but the 210 is already pretty close to the scoring of 3. All this can be seen in the comparison documentation of zxcvbn-ts https://zxcvbn-ts.github.io/zxcvbn/guide/comparison/

[Emi75]

Thanks @MrWook Looks like the TS unofficial porting is updated instead of the parent project and the related java porting. I have reached the owner of the java porting https://github.com/nulab/zxcvbn4j/issues/84 but looks like they don't have bandwidth to work on that. @MrWook what's your suggestion here?

[MrWook]

The problem on this one is that the original xato password list isn't available on the internet anymore. So you can't update it. I wanted to get my hands on the collection #1 - collection #5 lists but i'm not really a dark web user :D I think you have multiple options to handle this case:

1. Use the backend library only and make api calls with a debounce on password typing. Or only validate the password on save
2. Use the client library only
3. If you have node installed on your server you could use a little js script that is called on your backend to check the password
4. Maybe use https://github.com/GoSimpleLLC/nbvcxz instead of https://github.com/nulab/zxcvbn4j . It has has the same updated and feature like zxcvbn-ts but a few more that i had't have the time to work on yet. The last release was in 2020 but thats just because there isn't anything todo and it is kind of complete. The author is still active and helped me with the typescript port a lot