Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Very different results from javascript. #14

Open
choppsv1 opened this issue Sep 16, 2015 · 2 comments
Open

Very different results from javascript. #14

choppsv1 opened this issue Sep 16, 2015 · 2 comments

Comments

@choppsv1
Copy link

The python code produces very different (and worrisome) results when compared to the javascript version. I use the python code in my change app to verify the password passes muster prior to changing it, so if anything I'd want it to be more strict that the client side JS version.

Password: FooBar2016
JS: score: 0, entropy: 18.541
Python: score: 2, entropy: 30.089

Password: ZagDag2016
JS: score: 2, entropy: 32.783
Python: score: 4, entropy: 44.264

If I had to choose I'd pick the JS version, the python one looks way too lenient.

(full result for FooBar2016 below.
JS:
Calling zxcvbn
{ password: 'FooBar2016',
entropy: 18.541,
match_sequence:
[ { pattern: 'dictionary',
i: 0,
j: 5,
token: 'FooBar',
matched_word: 'foobar',
rank: 908,
dictionary_name: 'passwords',
reversed: false,
base_entropy: 9.826548487290916,
uppercase_entropy: 4.392317422778761,
reversed_entropy: 0,
l33t_entropy: 0,
entropy: 14.218865910069677 },
{ pattern: 'regex',
token: '2016',
i: 6,
j: 9,
regex_name: 'recent_year',
regex_match: [Object],
entropy: 4.321928094887363 } ],
crack_time: 19.068,
crack_time_display: '19.068000000000023 seconds',
score: 0,
calc_time: 8 }

Python:

python -c 'import zxcvbn; print zxcvbn.password_strength("FooBar2016")'
{'crack_time_display': '17.0 hours', 'crack_time': 57103.66, 'score': 2, 'entropy': 30.089, 'password': 'FooBar2016', 'calc_time': 0.0005788803100585938, 'match_sequence': [{'l33t_entropy': 0, 'dictionary_name': 'passwords', 'matched_word': 'foobar', 'bas
e_entropy': 9.826548487290916, 'i': 0, 'pattern': 'dictionary', 'j': 5, 'rank': 908, 'token': 'FooBar', 'entropy': 14.285980105928214, 'uppercase_entropy': 4.459431618637297}, {'i': 6, 'pattern': 'spatial', 'j': 8, 'shifted_count': 0, 'token': '201', 'ent
ropy': 9.848831558033764, 'graph': 'keypad', 'turns': 2}, {'i': 9, 'pattern': 'bruteforce', 'j': 9, 'token': '6', 'entropy': 5.954196310386876, 'cardinality': 62}]}
@gibsjose gibsjose mentioned this issue Dec 12, 2015
Open
@FirefighterBlu3
Copy link

it's not a perfect port of JS -> Python apparently, different match sequences are being executed. the JS original comes executes the dictionary and regex patterns. the python port executes the dictionary, spatial, and bruteforce patterns.

@FirefighterBlu3
Copy link

in any case, it looks like this project has been abandoned by the original owners as there hasn't been any activity in quite a while. if we want it fixed, we'll have to do it ourselves.

@demianbrecht demianbrecht mentioned this issue Mar 1, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@choppsv1 @FirefighterBlu3