Interesting evaluation result

trichards57 / zxcvbn-cs

C#/.NET port of Dan Wheeler/DropBox's Zxcvbn JS password strength estimation library

MIT License

59 stars 19 forks source link

Interesting evaluation result #23

Closed adam-rogan-pingworks-92 closed 3 years ago

adam-rogan-pingworks-92 commented 3 years ago

We have some unit tests that are designed to build up the score and crack time as they go. After updating from an old version of this library the test failed today:

Zxcvbn.Core.EvaluatePassword( "he1!o-r123 there" ); // score: 4   time: 24 years
Zxcvbn.Core.EvaluatePassword( "he1!o-r123 there handsome" ); // score: 0   time: less than a second

How is it possible that making the exact same password significantly longer reduces the cracktime by > 20 years? Must be a bug, no?

trichards57 commented 3 years ago

So the dictionaries have changed quite significantly since the last update, but that does look very odd. I shall dig into it.

trichards57 commented 3 years ago

Okay, it looks like this is a simple case of your password being too hard, and the numbers overflowing. I've just filed an update to switch to doubles instead, it will come out as Version 6.0.### once the CI has done it's thing.