search

zxcvbn-ts / zxcvbn

Low-Budget Password Strength Estimation
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
MIT License
910 stars 72 forks source link

repeat matcher is causing repeat characters to be tested in other matchers #242

Closed U-4-E-A closed 10 months ago

U-4-E-A commented 1 year ago

Password example: -

"llkkmmnnjjhh"

Testing in the Matching->match() function: -

  match(password) {
      console.log("Password : ", password)
      [...]
  };

Output: -

Password :  llkkmmnnjjhh
Password :  l
Password :  k
Password :  m
Password :  n
Password :  j
Password :  h

It would seem to me that this is a bug? I noticed because I was checking the password values being passed to my custom matcher and noticed random characters being passed and then noticed this was only happening for the repeat characters in the password.

This only happens when repeat matcher is enabled.

MrWook commented 1 year ago

Hey @U-4-E-A thank you for your concern but this is the correct behaviour. The repeat matcher will get a baseGuess from the other matchers. This seems to make no sense if you just have letters which are repeated but make a lot more sense if you have whole words.

For example the repeat scoring is completely different for words like password and encyclopedia as the first one has a baseGuess of 2 while the seconds one has a base guess of 4921 from the other matchers. This base guess is than multiplied by the amount of repeats.

MrWook commented 10 months ago

This issue should be resolved.