@lowe lowe released this Feb 7, 2017 · 6 commits to master since this release

Assets 2
  • minor bug fixes

@lowe lowe released this Oct 31, 2016 · 23 commits to master since this release

Assets 2
  • Fixed a search bug where certain optimal bruteforce matches were being ignored. This fix has a minor impact on performance, but only added 1 millisecond or less to all percentiles in my benchmark.

@lowe lowe released this Sep 27, 2016 · 29 commits to master since this release

Assets 2
  • Fixed a bug in the search algorithm. Discussion here.
  • Minor bug fixes.

@lowe lowe released this Feb 25, 2016 · 56 commits to master since this release

Assets 2
  • shorter and clearer search code with a better runtime bound.
  • new sequence matching that better generalizes to other unicode alphabets.
  • a few tweaks and bugfixes.

@lowe lowe released this Nov 10, 2015 · 73 commits to master since this release

Assets 2

Overhauled dictionary processing pipeline (scripts in data-scripts).

  • zxcvbn now counts 30k top passwords from Xato.net's 10M password corpus instead of an earlier list of 10k passwords.
  • zxcvbn now counts top words from offline wikipedia dumps. Instead of 55k words from the wiktionary tv and movie study, zxcvbn now includes top 30k tokens from the study, and top 30k tokens from en wikipedia.
  • Data processing scripts are easier to use and better documented. It's now easy to, for example, add dictionaries obtained from wikipedia dumps in other locales.
Oct 30, 2015

@lowe lowe released this Nov 10, 2015 · 96 commits to master since this release

Assets 2

zxcvbn now includes targeted verbal feedback in addition to score and guess numbers. verbal feedback is included when score is <=2, and potentially contains a warning and a list of suggestions.

Warnings include messages like "this is a top-10 common password", "dates are easy to guess", "rows of keys are easy to guess".

Suggestions include messages like "add another word or two", "avoid dates that are associated with you", "common substitutions like @ for a don't help very much", etc.

@lowe lowe released this Oct 24, 2015 · 104 commits to master since this release

Assets 2

zxcvbn's search algorithm now penalizes pattern sequence length. The old model optimized:

Product(match.guesses for match in sequence)

The new model optimizes a function that includes both a multiplicative and additive penalty:

factorial(length) * product + D^(length - 1)

See comments in scoring.coffee for intuition around the new model.

Backwards-incompatible changes:

  • Most property names changed in the zxcvbn() return object. Removed all mention of entropy in place of more intuitive guesses and guesses_log10. (entropy in older versions was just log2 of guesses -- a sloppy use of the term.)
  • Removed crack_time property, added instead a dictionary of crack time estimates under different scenarios -- online throttled/unthrottled, and offline with slow/fast hashing.
  • score is still on a 0-5 scale, but with adjusted thresholds to reflect resistance to some of those attack scenarios.

@lowe lowe released this Sep 14, 2015 · 121 commits to master since this release

Assets 2
  • new implementation of repeat_match, supports multi-character repeat sequences.
  • reversed-word dictionary matches.
  • cross-browser testing with travis-ci, saucelabs and zuul.

@lowe lowe released this Sep 8, 2015 · 141 commits to master since this release

Assets 2

Complete unit tests at roughly 97% code coverage + minor bugfixes.