New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zxcvbn.js has different result from zxcvbn-ruby! #18

Open
oasisweng opened this Issue Apr 17, 2016 · 5 comments

Comments

Projects
None yet
7 participants
@oasisweng

oasisweng commented Apr 17, 2016

I want to test the password strength on my Staff.rb model.

But using a Rails Console and test a password such as "chenlu0525" with Zxcvbn.test will give a score of 2 while calling zxcvbn("chenlu0525") will give a score of 3.

Here is the result for zxcvbn("chenlu0525") (score:3):

JSON.stringify(zxcvbn("chenlu0525"))


password : "chenlu0525"
guesses : 1262010000
guesses_log10 : 9.101062796213672
sequence
calc_time : 1
crack_times_seconds
online_throttling_100_per_hour : 45432360000
online_no_throttling_10_per_second : 126201000
offline_slow_hashing_1e4_per_second : 126201
offline_fast_hashing_1e10_per_second : 0.126201
crack_times_display
online_throttling_100_per_hour : "centuries"
online_no_throttling_10_per_second : "4 years"
offline_slow_hashing_1e4_per_second : "1 day"
offline_fast_hashing_1e10_per_second : "less than a second"
score : 3
feedback
warning : ""
suggestions

Here is the result for Zxcvbn.test("chenlu0525") (score:2):

Zxcvbn.test("chenlu0525")

#<Zxcvbn::Score:0x007ffa13ae0168
 @calc_time=0.0012910170189570636,
 @crack_time=411480.0,
 @crack_time_display="6 days",
 @entropy=32.938,
 @match_sequence=
  [#<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0, l33t_entropy=0, entropy=9.310612781659529>,
   #<Zxcvbn::Match pattern="bruteforce", i=4, j=5, token="lu", entropy=10.339850002884624, cardinality=36>,
   #<Zxcvbn::Match i=6, j=9, token="0525", pattern="digits", entropy=13.28771237954945>],
 @password="chenlu0525",
 @score=2>

Any idea why? How to fix?

I am using Rails 4. Also, I use Devise, Client_Side_Validations and Simple_Form, if there is a workaround using devise_zxcvbn, it will work too.

@matthewford

This comment has been minimized.

Show comment
Hide comment
@matthewford

matthewford Apr 17, 2016

@oasisweng for devise_zxcvbn, as its typical to do both server and client side validation, we've ended up using https://github.com/bitzesty/zxcvbn-js which is a fork of zxcvbn-ruby that just runs the JS with ExecJS so the results are the same.

matthewford commented Apr 17, 2016

@oasisweng for devise_zxcvbn, as its typical to do both server and client side validation, we've ended up using https://github.com/bitzesty/zxcvbn-js which is a fork of zxcvbn-ruby that just runs the JS with ExecJS so the results are the same.

@ryanwilliams

This comment has been minimized.

Show comment
Hide comment
@ryanwilliams

ryanwilliams May 30, 2016

I have the same issue. It makes this gem pretty useless for us as the JS validation says the password is good but then the server says it's bad.

ryanwilliams commented May 30, 2016

I have the same issue. It makes this gem pretty useless for us as the JS validation says the password is good but then the server says it's bad.

@joneslee85 joneslee85 added the bug label May 31, 2016

@stevehodgkiss

This comment has been minimized.

Show comment
Hide comment
@stevehodgkiss

stevehodgkiss Jun 3, 2016

Member

screen shot 2016-06-03 at 3 36 30 pm

Definitely a difference in the calculation of entropy... PR's welcome!

If you're using zxcvbn.js to display validation on the front end then it makes sense to use the same algorithm for the backend validation - https://github.com/bitzesty/zxcvbn-js

Member

stevehodgkiss commented Jun 3, 2016

screen shot 2016-06-03 at 3 36 30 pm

Definitely a difference in the calculation of entropy... PR's welcome!

If you're using zxcvbn.js to display validation on the front end then it makes sense to use the same algorithm for the backend validation - https://github.com/bitzesty/zxcvbn-js

@detj

This comment has been minimized.

Show comment
Hide comment
@detj

detj Apr 10, 2017

Contributor

I think this is a serious blocker. Although, there is zxcvbn-js out there which uses ExecJS, I'm sure a pure Ruby version would be preferred by many.

Contributor

detj commented Apr 10, 2017

I think this is a serious blocker. Although, there is zxcvbn-js out there which uses ExecJS, I'm sure a pure Ruby version would be preferred by many.

@bermannoah

This comment has been minimized.

Show comment
Hide comment
@bermannoah

bermannoah May 8, 2017

It looks like the JS original version makes its calculation based on seeing lu0525 as one token, rather than dividing it into lu and 0525 as this version does. I'm not sure where that decision is handled, but it seems like the right one to make.

sequence:
   [ { pattern: 'dictionary',
       i: 0,
       j: 3,
       token: 'chen',
       matched_word: 'chen',
       rank: 631,
       dictionary_name: 'surnames',
       reversed: false,
       l33t: false,
       base_guesses: 631,
       uppercase_variations: 1,
       l33t_variations: 1,
       guesses: 631,
       guesses_log10: 2.800029359244134 },
     { pattern: 'bruteforce',
       token: 'lu0525',
       i: 4,
       j: 9,
       guesses: 1000000,
       guesses_log10: 5.999999999999999 } ]

versus

<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", 
dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0,
 l33t_entropy=0, entropy=9.310612781659529>, #<Zxcvbn::Match pattern="bruteforce", i=4, j=5,
token="lu", entropy=10.339850002884624, cardinality=36>, #<Zxcvbn::Match i=6, j=9, token="0525" ... > 

bermannoah commented May 8, 2017

It looks like the JS original version makes its calculation based on seeing lu0525 as one token, rather than dividing it into lu and 0525 as this version does. I'm not sure where that decision is handled, but it seems like the right one to make.

sequence:
   [ { pattern: 'dictionary',
       i: 0,
       j: 3,
       token: 'chen',
       matched_word: 'chen',
       rank: 631,
       dictionary_name: 'surnames',
       reversed: false,
       l33t: false,
       base_guesses: 631,
       uppercase_variations: 1,
       l33t_variations: 1,
       guesses: 631,
       guesses_log10: 2.800029359244134 },
     { pattern: 'bruteforce',
       token: 'lu0525',
       i: 4,
       j: 9,
       guesses: 1000000,
       guesses_log10: 5.999999999999999 } ]

versus

<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", 
dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0,
 l33t_entropy=0, entropy=9.310612781659529>, #<Zxcvbn::Match pattern="bruteforce", i=4, j=5,
token="lu", entropy=10.339850002884624, cardinality=36>, #<Zxcvbn::Match i=6, j=9, token="0525" ... > 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment