Comments (9)
Hi there @TomLottermann, that observation it wasn't an overriding goal of nbvcxz to maintain complete compatibility with zxcvbn or the other ports is entirely correct.
When I started this project, there were no other Java ports and I really wanted this functionality for my company, and I wanted it in Java. By the time I was done with the initial version, zxcvbn4j was also released, and from my memory of looking over their code years ago, they did maintain closer compatibility with zxcvbn (at least at the time).
Now on to ways nbvcxz can be configured to generate closer output to zxcvbn:
-
Disable the Levenshtein Distance (LD) calculation. This feature was very helpful in my analysis on helping identify passwords which were only slightly different than dictionary words but were not caught with the original implementation. This feature will be sure to cause nbvcxz to produce different results than zxcvbn for a large number of passwords.
-
Make sure both implementations are using the same dictionaries. There are many additional leaked passwords in the nbvcxz dictionary than in zxcvbn. There are also additional dictionaries included in nbvcxz that are not in zxcvbn and vice versa. Simply different choices on what lists were important to include by default. With nbvcxz you can easily change what dictionaries are being used though, so it's easy to make the different implementations use the same dictionaries.
-
The algorithm to find the best matches is different between nbvcxz and zxcvbn, that is likely to produce slightly different results in cases where zxcvbn is unable to find the best combination of matches due to the algorithm used. There were quite a few instances I noted that brought about the change to the algorithm used by nbvcxz where there were obviously "wrong" results for entropy based on the combination of matches because it got stuck in a local minimum. This is no longer an issue with nbvcxz, but will inherently produce different results for some passwords compared to the original algorithm used by zxcvbn. In the majority of cases both algorithms are able to figure out what the lowest entropy combination of matches on the password are, so I don't see this being too big of an issue.
Hope that helps, and i'm interested in your findings if you end up testing nbvcxz and another implementation to see how similar their outputs are over a sample of passwords.
from nbvcxz.
Another difference I thought of today is the separator match type support we have. It helps with passphrases detection a lot, but since zxcvbn doesn't support it, that would be something to also disable using the ConfigurationBuilder: setPasswordMatchers(List passwordMatchers).
from nbvcxz.
@TomLottermann I am going to close this issue, hopefully my answers were helpful. If you have any more questions or need anything clarified feel free to ask.
from nbvcxz.
Sorry for the late reply.
Thanks a ton for the detailed info! Might we worth documenting this in the README - maybe :)
from nbvcxz.
Good call, i'll re-open this as a reminder to add this info to the README.md under a "compatibility" section.
from nbvcxz.
@TomLottermann I updated the readme with the info from this thread, let me know if you think anything is unclear or should be reworded if you wouldn't mind.
from nbvcxz.
Thanks for the documentation update! :)
from nbvcxz.
Is there a shorthand to simply remove the SeparatorMatcher
from the existing list of default matchers within a configuration or during the configuration building process?
from nbvcxz.
Nope, no shorthand that I am aware of.
from nbvcxz.
Related Issues (20)
- Substituted characters not fully implemented HOT 6
- Define a stable automatic module name HOT 7
- Is this library thread-safe? HOT 2
- certain bad passwords make it through the filter HOT 7
- Multiple simultaneous connections cause heap dump HOT 8
- Please make a new release HOT 1
- High deviation for a certain password HOT 2
- acsploit HOT 4
- English wordlist too short / not original zxcvbn list? HOT 2
- "very common password" feedback for a strong password HOT 2
- ConfigurationBuilder.getDefaultXYZ returns internal instances HOT 4
- Too high estimates when finding words in dictionaries HOT 1
- StackOverflowError when generating estimate HOT 6
- Too high score for special characters HOT 2
- Add additional helper to calculate the minimum entropy
- Add support for HIBP password API HOT 2
- Wrong entropy computing HOT 1
- Fix bruteforce output HOT 2
- Add ability to run in fixed-time HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nbvcxz.