without dictionary?

[enapupe]

How much would I lose running this library without the dictionary part? My concern is about file size since 300kb download is unacceptable in [my] mobile scenario.. What dropbox does about that?
Thanks for such library, anyhow it is awesome.

[duzun]

You are going to loose a lot!
Since the dictionary contains a list of most used passwords (like "password", "123456") plus some other lists of frequently used words, you a going to cut off estimation of the cracking method(s) used to guess more then 50% of the passwords in an eventual hack.
IMO your zxcvbn estimations would be far from reality.

I suggest to use cache and lazy-loading.

Another alternative would be to run zxcvbn on server through AJAX requests, but it is not always a good idea to send the password outside your system for evaluation. It depends on your application design and security model.

[enapupe]

@duzun I see, that's what I thought..
But there is another thing to consider: our users are developers, so, we are giving them some credit and freedom on their password choice.. We intend to provide the most information about their password strength but not block bad choices beyond a basic strength level..

The ajax scenario is not an option because triggering one request for each keyup would probably be slower than downloading the 300kb js file once.

[duzun]

I am a developer too, but I don't remember the list of top 10'000 most used passwords and I want zxcvbn to evaluate my "pronounceable" passwords.
A better password is a totally random one, in which case you don't need zxcvbn, just take care of the minimum length.
But if you want a memorable password composed of words, it is good to evaluate each word from the password.
If you want more freedom, don't use password strength for validation (allow the user to use the weakest password).

AJAX could be an option if properly set up. Typically keyup happens no more then once every 300ms. If your server is geographically close to the client and you don't have any lags in your app, the response could return in less then 100ms. Even if the server is in US and the client is in Europe, the response still can be kept under 300ms.

[enapupe]

I agree, or validate it right or just don't..
I'm gonna go with ajax and see what happens. Thanks a lot for sharing!

[enapupe]

obs, I think browsers should ship your library as a native API, nice job.

[pyramids]

One solution could be to load zxcvbn from a public CDN, if you trust it to not maliciously serve a modified (password grabbing? key logging?) version. Then, assuming your website isn't the first one to do so for that user, it has a good chance of loading from the browsers' cache.

I know of these two public CDNs with (slightly dated) versions of zxcvbn, with links to their minified versions:
cdnjs
jsdelivr

I don't trust third parties with the power to control javascript on pages with password entry. To get the suggested advantage anyways, I use an integrity-verifying javascript loader, to discard the received javascript unless it is exactly as expected. If it helps anyone: I wrote one such loader, needjs that allows fallback to other source URLS including, if you like, a copy hosted on your own servers.

[enapupe]

I dislike the CDN idea by many reasons.. In this case even more because unfortunately I never have seen a website using this library.
I'm going with the JS solution. I'm preloading it manually after pageload (or maybe use prerender) so it is cached when the user visits the signup page.
Thanks again.

[michaelficarra]

Whenever you use a CDN, you should use a subresource integrity hash.

[enapupe]

After some discussion we decided to go with client-side (JS) version of zxcvbn (async, lazyloaded) but we are keeping only the 10k frequent passwords part because our general public is not english speaking.

[luckylooke]

@enapupe how did you achieve to use custom dictionary? (10k freq pass)
Because we have also multi-language users so English only words does not fit well.

Thanks

[enapupe]

Uh, well, 5 years ago? I think we just removed stuff from the dist file and included the lib file on git. npm was not really a thing back then, maybe Bower was.

[luckylooke]

@enapupe I was not sure if you reuse solution in more recent projects, therefore I asked and ignoring the date. Thank you for your answer, but I do not like the solution for maintenance reasons. Then I would rather use https://github.com/davidstutz/password-score which allows to configure dictionaries . Thanks again and happy coding ;)

[enapupe]

Sure, I get that.
YI'm afraid this project has not kept up with modern stuff? Like you would usually just have a separate dictionary package that your could import. Maybe it's a nice proposal/fork, since the logic behind this project is still one of the best available.