zxcvbn.js has different result from zxcvbn-ruby!

[oasisweng]

I want to test the password strength on my Staff.rb model.

But using a Rails Console and test a password such as "chenlu0525" with Zxcvbn.test will give a score of 2 while calling zxcvbn("chenlu0525") will give a score of 3.

Here is the result for zxcvbn("chenlu0525") (score:3):

JSON.stringify(zxcvbn("chenlu0525"))

password : "chenlu0525"
guesses : 1262010000
guesses_log10 : 9.101062796213672
sequence
calc_time : 1
crack_times_seconds
online_throttling_100_per_hour : 45432360000
online_no_throttling_10_per_second : 126201000
offline_slow_hashing_1e4_per_second : 126201
offline_fast_hashing_1e10_per_second : 0.126201
crack_times_display
online_throttling_100_per_hour : "centuries"
online_no_throttling_10_per_second : "4 years"
offline_slow_hashing_1e4_per_second : "1 day"
offline_fast_hashing_1e10_per_second : "less than a second"
score : 3
feedback
warning : ""
suggestions

Here is the result for Zxcvbn.test("chenlu0525") (score:2):

Zxcvbn.test("chenlu0525")

#<Zxcvbn::Score:0x007ffa13ae0168
 @calc_time=0.0012910170189570636,
 @crack_time=411480.0,
 @crack_time_display="6 days",
 @entropy=32.938,
 @match_sequence=
  [#<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0, l33t_entropy=0, entropy=9.310612781659529>,
   #<Zxcvbn::Match pattern="bruteforce", i=4, j=5, token="lu", entropy=10.339850002884624, cardinality=36>,
   #<Zxcvbn::Match i=6, j=9, token="0525", pattern="digits", entropy=13.28771237954945>],
 @password="chenlu0525",
 @score=2>

Any idea why? How to fix?

I am using Rails 4. Also, I use Devise, Client_Side_Validations and Simple_Form, if there is a workaround using devise_zxcvbn, it will work too.

[matthewford]

@oasisweng for devise_zxcvbn, as its typical to do both server and client side validation, we've ended up using https://github.com/bitzesty/zxcvbn-js which is a fork of zxcvbn-ruby that just runs the JS with ExecJS so the results are the same.

[stevehodgkiss]

Definitely a difference in the calculation of entropy... PR's welcome!

If you're using zxcvbn.js to display validation on the front end then it makes sense to use the same algorithm for the backend validation - https://github.com/bitzesty/zxcvbn-js

[detj]

I think this is a serious blocker. Although, there is zxcvbn-js out there which uses ExecJS, I'm sure a pure Ruby version would be preferred by many.

[bermannoah]

It looks like the JS original version makes its calculation based on seeing lu0525 as one token, rather than dividing it into lu and 0525 as this version does. I'm not sure where that decision is handled, but it seems like the right one to make.

sequence:
   [ { pattern: 'dictionary',
       i: 0,
       j: 3,
       token: 'chen',
       matched_word: 'chen',
       rank: 631,
       dictionary_name: 'surnames',
       reversed: false,
       l33t: false,
       base_guesses: 631,
       uppercase_variations: 1,
       l33t_variations: 1,
       guesses: 631,
       guesses_log10: 2.800029359244134 },
     { pattern: 'bruteforce',
       token: 'lu0525',
       i: 4,
       j: 9,
       guesses: 1000000,
       guesses_log10: 5.999999999999999 } ]

versus

<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", 
dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0,
 l33t_entropy=0, entropy=9.310612781659529>, #<Zxcvbn::Match pattern="bruteforce", i=4, j=5,
token="lu", entropy=10.339850002884624, cardinality=36>, #<Zxcvbn::Match i=6, j=9, token="0525" ... > 

[MSCAU]

Just ran into this issue too. JS says "Bilbo Baggin" scores 4, while zxcvbn-ruby says it scores 3. Would be grateful if someone more capable than me could fix this as the JS version feels a lot slower.

[bule]

I changed to zxcvbn-js because of this.
Correctness is more important than speed.

[northymer]

Having same issue here, ruby version fails to recognise repetitive inputs, like "rtrtrt" will give 0 from both js and ruby version, one more "rt" will still give 0 from js version, but 1 from ruby, and every single following "rt" will give +1 to the score on ruby side up to the highest one, while js still gives it a 0

[jsaglio42]

I'm facing similar issues with the password "my_new_password".
zxcvbn-ruby (1.2.0) score : 1
zxcvbn.js (4.4.2) score : 3

[formigarafa]

@jsaglio42 how did you go with your issue? did you find a way out?