Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
- Fixed a search bug where certain optimal bruteforce matches were being ignored. This fix has a minor impact on performance, but only added 1 millisecond or less to all percentiles in my benchmark.
- shorter and clearer search code with a better runtime bound.
- new sequence matching that better generalizes to other unicode alphabets.
- a few tweaks and bugfixes.
Overhauled dictionary processing pipeline (scripts in data-scripts).
- zxcvbn now counts 30k top passwords from Xato.net's 10M password corpus instead of an earlier list of 10k passwords.
- zxcvbn now counts top words from offline wikipedia dumps. Instead of 55k words from the wiktionary tv and movie study, zxcvbn now includes top 30k tokens from the study, and top 30k tokens from en wikipedia.
- Data processing scripts are easier to use and better documented. It's now easy to, for example, add dictionaries obtained from wikipedia dumps in other locales.
zxcvbn now includes targeted verbal feedback in addition to score and guess numbers. verbal feedback is included when score is <=2, and potentially contains a warning and a list of suggestions.
Warnings include messages like "this is a top-10 common password", "dates are easy to guess", "rows of keys are easy to guess".
Suggestions include messages like "add another word or two", "avoid dates that are associated with you", "common substitutions like @ for a don't help very much", etc.
zxcvbn's search algorithm now penalizes pattern sequence length. The old model optimized:
Product(match.guesses for match in sequence)
The new model optimizes a function that includes both a multiplicative and additive penalty:
factorial(length) * product + D^(length - 1)
See comments in
scoring.coffee for intuition around the new model.
- Most property names changed in the
zxcvbn()return object. Removed all mention of entropy in place of more intuitive
entropyin older versions was just log2 of
guesses-- a sloppy use of the term.)
crack_timeproperty, added instead a dictionary of crack time estimates under different scenarios -- online throttled/unthrottled, and offline with slow/fast hashing.
scoreis still on a 0-5 scale, but with adjusted thresholds to reflect resistance to some of those attack scenarios.
- new implementation of
repeat_match, supports multi-character repeat sequences.
- reversed-word dictionary matches.
- cross-browser testing with travis-ci, saucelabs and zuul.