No specific suggestion or warning given for passwords that are too weak because of user imputs

[Pierre-Sassoulas]

For example here, with no user_inputs we get a score of 4 :

 zxcvbn("testclient@example.com")
  'score': 4
  'feedback': {
    'warning': '',
    'suggestions': []
 }

Then with user_inputs the password is detected as bad and score 0 because of the user imputs, but there is only the generic suggestion :

zxcvbn("testclient@example.com", user_inputs=["testclient@example.com"])
  'score': 0
  'feedback': {
    'warning': '',
    'suggestions': ['Add another word or two. Uncommon words are better.']
}

I would expect something like "You should not reuse informations from your accounts in your password" as a suggestion.

[MathiasSM]

The user_input can be used for input not entered directly by the user (as I understand it). In my opinion, it might be ok for the library to give information to the code that it failed because of the user_input, if possible. But to have a suggestion as specific as that would not always be ideal, would it? Then again, it may be better to not show any suggestion than to show "Add another word or two" (in any case, adding a word or two wouldn't make it any secure, even to zxcvbn, right?).

[Pierre-Sassoulas]

I think we should always give a message, otherwise what are users supposed to do when we reject their passwords ? They can't guess what was wrong. Also adding a word or two do always make it more secure for zxcvbn (except if they're adding information already present in user_input). The error message should not contain the information themself, "Avoid informations that are associated with you or your account." would work well.