Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zxcvbn.js has different result from zxcvbn-ruby! #18

Open
oasisweng opened this issue Apr 17, 2016 · 9 comments
Open

zxcvbn.js has different result from zxcvbn-ruby! #18

oasisweng opened this issue Apr 17, 2016 · 9 comments
Labels
bug

Comments

@oasisweng
Copy link

oasisweng commented Apr 17, 2016
edited

I want to test the password strength on my Staff.rb model.

But using a Rails Console and test a password such as "chenlu0525" with Zxcvbn.test will give a score of 2 while calling zxcvbn("chenlu0525") will give a score of 3.

Here is the result for zxcvbn("chenlu0525") (score:3):

JSON.stringify(zxcvbn("chenlu0525"))


password : "chenlu0525"
guesses : 1262010000
guesses_log10 : 9.101062796213672
sequence
calc_time : 1
crack_times_seconds
online_throttling_100_per_hour : 45432360000
online_no_throttling_10_per_second : 126201000
offline_slow_hashing_1e4_per_second : 126201
offline_fast_hashing_1e10_per_second : 0.126201
crack_times_display
online_throttling_100_per_hour : "centuries"
online_no_throttling_10_per_second : "4 years"
offline_slow_hashing_1e4_per_second : "1 day"
offline_fast_hashing_1e10_per_second : "less than a second"
score : 3
feedback
warning : ""
suggestions

Here is the result for Zxcvbn.test("chenlu0525") (score:2):

Zxcvbn.test("chenlu0525")

#<Zxcvbn::Score:0x007ffa13ae0168
 @calc_time=0.0012910170189570636,
 @crack_time=411480.0,
 @crack_time_display="6 days",
 @entropy=32.938,
 @match_sequence=
  [#<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0, l33t_entropy=0, entropy=9.310612781659529>,
   #<Zxcvbn::Match pattern="bruteforce", i=4, j=5, token="lu", entropy=10.339850002884624, cardinality=36>,
   #<Zxcvbn::Match i=6, j=9, token="0525", pattern="digits", entropy=13.28771237954945>],
 @password="chenlu0525",
 @score=2>

Any idea why? How to fix?

I am using Rails 4. Also, I use Devise, Client_Side_Validations and Simple_Form, if there is a workaround using devise_zxcvbn, it will work too.
@matthewford
Copy link

@oasisweng for devise_zxcvbn, as its typical to do both server and client side validation, we've ended up using https://github.com/bitzesty/zxcvbn-js which is a fork of zxcvbn-ruby that just runs the JS with ExecJS so the results are the same.

@runlevel5 runlevel5 added the bug label May 31, 2016
@stevehodgkiss
Copy link
Contributor

screen shot 2016-06-03 at 3 36 30 pm

Definitely a difference in the calculation of entropy... PR's welcome!

If you're using zxcvbn.js to display validation on the front end then it makes sense to use the same algorithm for the backend validation - https://github.com/bitzesty/zxcvbn-js

@detj
Copy link
Contributor

detj commented Apr 10, 2017
edited

I think this is a serious blocker. Although, there is zxcvbn-js out there which uses ExecJS, I'm sure a pure Ruby version would be preferred by many.

@bermannoah
Copy link

bermannoah commented May 8, 2017
edited

It looks like the JS original version makes its calculation based on seeing lu0525 as one token, rather than dividing it into lu and 0525 as this version does. I'm not sure where that decision is handled, but it seems like the right one to make.

sequence:
   [ { pattern: 'dictionary',
       i: 0,
       j: 3,
       token: 'chen',
       matched_word: 'chen',
       rank: 631,
       dictionary_name: 'surnames',
       reversed: false,
       l33t: false,
       base_guesses: 631,
       uppercase_variations: 1,
       l33t_variations: 1,
       guesses: 631,
       guesses_log10: 2.800029359244134 },
     { pattern: 'bruteforce',
       token: 'lu0525',
       i: 4,
       j: 9,
       guesses: 1000000,
       guesses_log10: 5.999999999999999 } ]

versus

<Zxcvbn::Match matched_word="chen", token="chen", i=0, j=3, rank=635, pattern="dictionary", 
dictionary_name="surnames", base_entropy=9.310612781659529, uppercase_entropy=0.0,
 l33t_entropy=0, entropy=9.310612781659529>, #<Zxcvbn::Match pattern="bruteforce", i=4, j=5,
token="lu", entropy=10.339850002884624, cardinality=36>, #<Zxcvbn::Match i=6, j=9, token="0525" ... >

@MSCAU
Copy link

MSCAU commented Nov 27, 2018
edited

Just ran into this issue too. JS says "Bilbo Baggin" scores 4, while zxcvbn-ruby says it scores 3. Would be grateful if someone more capable than me could fix this as the JS version feels a lot slower.

@bule
Copy link

bule commented Jun 19, 2020

I changed to zxcvbn-js because of this.
Correctness is more important than speed.

@northymer
Copy link

Having same issue here, ruby version fails to recognise repetitive inputs, like "rtrtrt" will give 0 from both js and ruby version, one more "rt" will still give 0 from js version, but 1 from ruby, and every single following "rt" will give +1 to the score on ruby side up to the highest one, while js still gives it a 0

formigarafa added a commit to formigarafa/zxcvbn-rb that referenced this issue May 16, 2021
@formigarafa
add a few more pass from envato/zxcvbn-ruby#18 details
9be91e9
@formigarafa formigarafa mentioned this issue May 27, 2021
Closed
14 tasks
@jsaglio42
Copy link

I'm facing similar issues with the password "my_new_password".
zxcvbn-ruby (1.2.0) score : 1
zxcvbn.js (4.4.2) score : 3

@matthewford matthewford mentioned this issue May 31, 2021
Merged
@mitchellhenke mitchellhenke mentioned this issue Jul 9, 2021
Merged
@formigarafa
Copy link

@jsaglio42 how did you go with your issue? did you find a way out?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests