Repeated patterns accepted too easily?

[timds]

Hi,

In dropbox's zxcvbn library, which I can test here, passwords with clearly repeating patterns get scored lowly. E.g. "ab ab ab" and "aa aaa aa" get scored as 1/4. In zxcvbn-hs, the same passwords are considered "Safe".

Is there a bug in the pattern checking?

(Aside: By contrast, the dictionary checking seems to be stricter: e.g. "set your password" is considered "Moderate" by zxcvbn-hs but 4/4 by dropbox's library)

[pjones]

Hi @timds.

zxcvbn-hs is not an exact line-by-line port of the dropbox library. I based it on the USENIX paper and used the dropbox implementation as a guide when the paper was vague. In other words, they aren't always going to agree with one another.

The pattern checking feature is very different in my implementation. In the original version the password fragments go through a regular expression engine multiple times to find the patterns. In the Haskell version no regular expressions are used.

If you feel there are specific checkers that are providing erroneous scores we should talk about that. However, based on the password cracking techniques that I'm familiar with, checkers like the pattern finder aren't that valuable in practice.

[timds]

That sounds reasonable to me, thanks. Still, intuitively, "ab ab ab" at 8 characters doesn't seem particularly safe, and I wonder whether a short password with repetitions like that could be penalised slightly more than it is currently, but I agree it may not be worth it if it's not a trivial change.

[pjones]

I'm going to leave this issue open as a reminder to look at the pattern code and see if there is a way to make something like this have a lower score.