mkopinsky / zxcvbn-php Goto Github PK

After I've first tried the library from bjeavons where the gap between JS & PHP was huge (3 vs 0 as score), I've switched to your fork.

Now the inconsistency is a little bit smaller, but still there is :)

Try stargate100 (without any user data)

• JS: scores 3
• PHP: scores 2

Use this issue for tracking situations we need to resolve before release

• L33tMatch::match returns 6 matches for Password1, should return 0 (fixed, single character detection wasn't working)
• Password rockyou returns 10,718 guesses, should return 45,900 guesses (fixed, minimum guesses wasn't being applied to all matches)
• Passwords 098765 and 09876 are detected as dvorak instead of qwerty - this results in a different number of guesses (fixed, typo in SpatialMatch caused dvorak matches to return an incorrect number of guesses)
• For the password marie1, upstream detects a L33tMatch from the female_names dictionary, but we detect a normal DictionaryMatch from the passwords dictionary (fixed, our L33tMatch algorithm didn't match upstream properly)
• Passwords ABC123 and PASSWORD1 are missing the 'All-uppercase is almost as easy...' suggestion (fixed, the 'all uppercase' regex was incorrect)
• SpatialMatch casts the result of getGuesses to int, which upstream doesn't do (it's returns a float) - this has a maximum error of 1 guess, but can lead to greater effects when it's part of a set of multiple matches (fixed, now returns float)
• Password j123456 is detected as a Bruteforce + SequenceMatch instead of Bruteforce + DictionaryMatch (fixed, matchers were in a different order than upstream which led to SequenceMatch being chosen over DictionaryMatches with equal guesses)
• YearMatch should have a pattern type of regex to match upstream (instead of year) (fixed)
• Multibyte characters are treated differently compared to upstream: the smiley face emoji 🙂 is treated as 1 character in JavaScript, but 3 characters in PHP (fixed, move to using the mb_ string functions)
• When two SpatialMatches are returned (such as with !QAZ1qaz), the second match has 4 times as many guesses as it should (fixed, affected passwords where the first character was shifted)
• Some passwords that contain multiple Bruteforce and Dictionary matches return different results. Examples: hitenmitsurugi, soldemedianoche, inthenameofgod. In all three cases we return slightly less guesses than upstream.

Might mention required php version. Had an issue with mb_ord just because I'm still using an older php version. Not a big deal though

After reading this thread bjeavons#15 I gathered this:

• this project is to be more up to date with upstream JS library
• are the results guaranteed to be the same as with JS lib?