GithubHelp home page GithubHelp logo

Comments (2)

lowe avatar lowe commented on August 23, 2024

Good point about this pattern:

...bruteforce-pattern-bruteforce...

e.g.

frzplfqetuothvpasswordf2r3z

Right now zxcvbn calculates a single cardinality over the full password, and uses it in the entropy math of each bruteforce region. Instead, it should do the cardinality math for each region independently. We're in agreement there, and i'll keep this issue open until I fix it.

Your second point about two adjacent bruteforce regions:

...bruteforce-bruteforce...

e.g.

frzplfqFRZPLFQ

I'd tend to agree except it starts to get weird with cases like:

fRZplf39s9

Is RZ a single region? s? 39?

Also, zxcvbn will never match two brute force regions that are adjacent -- it'll always match them as a single larger bruteforce region. This is because bruteforce is the default "pattern", when none of the other patterns fit.

So I don't think I'll change the way bruteforce is calculated for frzplfqetuothvCOCIWDZOAZPVRL. Sound like a good compromise?

Thanks for reporting!
Dan

from zxcvbn.

lowe avatar lowe commented on August 23, 2024

This is now fixed. Cardinality for bruteforce matches is now 10 across the board, independent of types of characters present.

One thing is for sure -- earlier cardinality estimates were way too high. A markov attack, for example, could significantly reduce the number of tries needed per character if the password is "english word-like" [common consonant-vowel sequences] or "password-like" [starts with capital letters, lowers in the middle, ends with numbers].

It would be a fun future research project to investigate better models for estimating resistance to markov attacks / other "smart" bruteforce attacks on a given password, perhaps trained on a large password corpus. For now this is a simple fix in the right direction.

One downside is this significantly underestimates the guessability of long random strings. A random alphanumeric string will get estimated as 10^n instead of 62^n, for example. Yet another case of underestimating to be safe.

from zxcvbn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.