Closed davidgeary closed 9 months ago
Hello @davidgeary, the userInputs dictionary functions like any other dictionary, assigning a specific guess count to parts of the password. For instance, if your string is "this is a really strong password" and "strong" is in the userInputs dictionary, the password strength evaluation for the portion "strong" will be lower compared to when it's not in userInputs.
Zxcvbn-ts evaluates the entire string, even if the rest of the string is strong. This means that a long string with weak inputs could still be considered a strong password according to zxcvbn-ts.
Taking your example of "this is a really strong password", on the demo page, the english dictionary is utilized, and "strong" is already ranked at 651. Consequently, the impact of adding "strong" to the userInputs dictionary, considering it was initially in the English dictionary, might not significantly affect the overall ranking.
On the demo page you first need to add values to the userInputs dictionary and than use the password field, it will be correctly recognized, and the score will be 0 for "thisisareallystrongpassword".
Since this seems to be answered here, i will close the issue
Sorry for the late response, @MrWook and thanks for the answer; it does explain it (better than the docs anyway 😁).
FYI, I can't replicate your last example on the demo page though. Setting the userInputs to "strong" and the password to "thisisareallystrongpassword" still gives a score of 4/4.
So i need to improve the docs 👍
Thats is the correct behaviour.
thisisareallystrongpassword
contains multiple words that are recognized by the dictionaries.
strong
is already inside the lastnames
dictionary on rank 651 which is not so far of from rank 1 in the userInputs
dictionary.
But even if it wouldn't be in any dictionary it would not matter so much as this consist of multiple words which strengthen the password by each word.
I think the orignal author can explain it better than me, this isn't my strong point. You can read the publication about zxcvbn here https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler or watch the talk from the original author
AIUI, the idea of supplying user inputs is that if any of the supplied words appear in the password, the score is reduced (to zero?) to indicate it's not secure. But in both my own code and the project's demo page, it doesn't appear to be affecting the score at all.
Testing the phrase "this is a really strong password" on the demo page gives:
Adding "strong" to the user inputs would, I'd have thought, reduce the score, but it remains at 4/4. Even setting the password and user input to the exact same value, e.g. "thisisareallystrongpassword", makes no difference.
Is this right or am I misunderstanding what user inputs are for?