MrWook
commented
8 months ago Hello @davidgeary, the userInputs dictionary functions like any other dictionary, assigning a specific guess count to parts of the password. For instance, if your string is "this is a really strong password" and "strong" is in the userInputs dictionary, the password strength evaluation for the portion "strong" will be lower compared to when it's not in userInputs.
Zxcvbn-ts evaluates the entire string, even if the rest of the string is strong. This means that a long string with weak inputs could still be considered a strong password according to zxcvbn-ts.
Taking your example of "this is a really strong password", on the demo page, the english dictionary is utilized, and "strong" is already ranked at 651. Consequently, the impact of adding "strong" to the userInputs dictionary, considering it was initially in the English dictionary, might not significantly affect the overall ranking.
On the demo page you first need to add values to the userInputs dictionary and than use the password field, it will be correctly recognized, and the score will be 0 for "thisisareallystrongpassword".
davidgeary
AIUI, the idea of supplying user inputs is that if any of the supplied words appear in the password, the score is reduced (to zero?) to indicate it's not secure. But in both my own code and the project's demo page, it doesn't appear to be affecting the score at all.
Testing the phrase "this is a really strong password" on the demo page gives:
Adding "strong" to the user inputs would, I'd have thought, reduce the score, but it remains at 4/4. Even setting the password and user input to the exact same value, e.g. "thisisareallystrongpassword", makes no difference.
Is this right or am I misunderstanding what user inputs are for?