-
Notifications
You must be signed in to change notification settings - Fork 934
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Each entry in the match sequence needs to add some inherent entropy #48
Comments
The original author referred to this entropy as structural entropy, and made a documented decision to ignore it ("It’s difficult to formulate a sound model for structural entropy; statistically, I don’t happen to know what structures people choose most, so I’d rather do the safe thing and underestimate", https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/). |
A very simple but decent model would be to observe the frequency of all A slightly better model would be to make the structure probabilities Or you could go overboard and use Sounds like a fun project for an undergraduate thesis or an intern On Tue, Aug 12, 2014 at 12:25:22PM -0700, Björn Stein wrote:
Peter Eckersley pde@eff.org |
Agreed. @pde, thanks for reporting, I know it's been a while :) Extra entropy for each entry in the match sequence is coming soon. I have a simpler scheme in mind than what you propose, and will update this thread with more soon. |
After experimenting with different models over the last two weeks, a reasonable length penalty is now implemented in 4.0.1. Try it out, and check the docs in scoring.coffee to see how it works. Feedback appreciated! |
zxcvbn decomposes each password into a match sequence, and then for each match says, "aha, I can find this part in an English dictionary (7 bits)", "this next piece is a name (4 bits), "this is brute force (9 bits)".
There is an inherent entropy to changing models each time. It's probably not much (2-6 bits per entry in the match sequence, I'm guessing) but at the moment zxcvbn is underestimating passwords that jump between a number of these.
The text was updated successfully, but these errors were encountered: