Open oasisweng opened 8 years ago
matthewford
commented
8 years ago @oasisweng for devise_zxcvbn, as its typical to do both server and client side validation, we've ended up using https://github.com/bitzesty/zxcvbn-js which is a fork of zxcvbn-ruby that just runs the JS with ExecJS so the results are the same.
stevehodgkiss
commented
8 years ago 
Definitely a difference in the calculation of entropy... PR's welcome!
If you're using zxcvbn.js to display validation on the front end then it makes sense to use the same algorithm for the backend validation - https://github.com/bitzesty/zxcvbn-js
detj
commented
7 years ago I think this is a serious blocker. Although, there is zxcvbn-js out there which uses ExecJS, I'm sure a pure Ruby version would be preferred by many.
bermannoah
commented
7 years ago It looks like the JS original version makes its calculation based on seeing lu0525 as one token, rather than dividing it into lu and 0525 as this version does. I'm not sure where that decision is handled, but it seems like the right one to make.
sequence:
[ { pattern: 'dictionary',
i: 0,
j: 3,
token: 'chen',
matched_word: 'chen',
rank: 631,
dictionary_name: 'surnames',
reversed: false,
l33t: false,
base_guesses: 631,
uppercase_variations: 1,
l33t_variations: 1,
guesses: 631,
guesses_log10: 2.800029359244134 },
{ pattern: 'bruteforce',
token: 'lu0525',
i: 4,
j: 9,
guesses: 1000000,
guesses_log10: 5.999999999999999 } ]versus
<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary",
dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0,
l33t_entropy=0, entropy=9.310612781659529>, #<Zxcvbn::Match pattern="bruteforce", i=4, j=5,
token="lu", entropy=10.339850002884624, cardinality=36>, #<Zxcvbn::Match i=6, j=9, token="0525" ... > 
MSCAU
commented
5 years ago Just ran into this issue too. JS says "Bilbo Baggin" scores 4, while zxcvbn-ruby says it scores 3. Would be grateful if someone more capable than me could fix this as the JS version feels a lot slower.
bule
commented
4 years ago I changed to zxcvbn-js because of this. Correctness is more important than speed.
northymer
commented
4 years ago Having same issue here, ruby version fails to recognise repetitive inputs, like "rtrtrt" will give 0 from both js and ruby version, one more "rt" will still give 0 from js version, but 1 from ruby, and every single following "rt" will give +1 to the score on ruby side up to the highest one, while js still gives it a 0
jsaglio42
commented
3 years ago I'm facing similar issues with the password "my_new_password". zxcvbn-ruby (1.2.0) score : 1 zxcvbn.js (4.4.2) score : 3
formigarafa
commented
3 years ago @jsaglio42 how did you go with your issue? did you find a way out?
I want to test the password strength on my Staff.rb model.
But using a Rails Console and test a password such as "chenlu0525" with
Zxcvbn.testwill give a score of 2 while calling zxcvbn("chenlu0525") will give a score of 3.Here is the result for
zxcvbn("chenlu0525")(score:3):Here is the result for
Zxcvbn.test("chenlu0525")(score:2):Any idea why? How to fix?
I am using Rails 4. Also, I use Devise, Client_Side_Validations and Simple_Form, if there is a workaround using devise_zxcvbn, it will work too.