zxcvbn-ts / zxcvbn

Low-Budget Password Strength Estimation
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
MIT License
907 stars 72 forks source link

User input doesn't affect the scoring #248

Closed davidgeary closed 9 months ago

davidgeary commented 9 months ago

AIUI, the idea of supplying user inputs is that if any of the supplied words appear in the password, the score is reduced (to zero?) to indicate it's not secure. But in both my own code and the project's demo page, it doesn't appear to be affecting the score at all.

Testing the phrase "this is a really strong password" on the demo page gives:

Adding "strong" to the user inputs would, I'd have thought, reduce the score, but it remains at 4/4. Even setting the password and user input to the exact same value, e.g. "thisisareallystrongpassword", makes no difference.

Is this right or am I misunderstanding what user inputs are for?

MrWook commented 9 months ago

Hello @davidgeary, the userInputs dictionary functions like any other dictionary, assigning a specific guess count to parts of the password. For instance, if your string is "this is a really strong password" and "strong" is in the userInputs dictionary, the password strength evaluation for the portion "strong" will be lower compared to when it's not in userInputs.

Zxcvbn-ts evaluates the entire string, even if the rest of the string is strong. This means that a long string with weak inputs could still be considered a strong password according to zxcvbn-ts.

Taking your example of "this is a really strong password", on the demo page, the english dictionary is utilized, and "strong" is already ranked at 651. Consequently, the impact of adding "strong" to the userInputs dictionary, considering it was initially in the English dictionary, might not significantly affect the overall ranking.

On the demo page you first need to add values to the userInputs dictionary and than use the password field, it will be correctly recognized, and the score will be 0 for "thisisareallystrongpassword".

MrWook commented 9 months ago

Since this seems to be answered here, i will close the issue

davidgeary commented 9 months ago

Sorry for the late response, @MrWook and thanks for the answer; it does explain it (better than the docs anyway 😁).

FYI, I can't replicate your last example on the demo page though. Setting the userInputs to "strong" and the password to "thisisareallystrongpassword" still gives a score of 4/4.

MrWook commented 9 months ago

So i need to improve the docs 👍

Thats is the correct behaviour. thisisareallystrongpassword contains multiple words that are recognized by the dictionaries. strong is already inside the lastnames dictionary on rank 651 which is not so far of from rank 1 in the userInputs dictionary. But even if it wouldn't be in any dictionary it would not matter so much as this consist of multiple words which strengthen the password by each word.

I think the orignal author can explain it better than me, this isn't my strong point. You can read the publication about zxcvbn here https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler or watch the talk from the original author