Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Too high score for special characters #70

Open
HaasJona opened this issue Jul 29, 2022 · 2 comments
Open

Too high score for special characters #70

HaasJona opened this issue Jul 29, 2022 · 2 comments
Assignees
Labels

Comments

@HaasJona
Copy link

HaasJona commented Jul 29, 2022

With the String "+=&/()!" (without quotes) nbvcxz returns a score of 4/4, entropy of around 35 and 7 brute force matches with an entropy of around 5 each. Which seems kinda overrated.

The online demo on the other hand returns a single brute force match with only a score of 2/4. Which seems more appropriate for a password of only 7 chars. I'm sure even some precomputed rainbow tables go up to 8 normal chars (letters, digits and regular special characters)

@Tostino
Copy link
Collaborator

Tostino commented Jan 5, 2023

You are correct there. The character set used is limited to special characters, not alphanumeric... The code in the getBruteForceCardinality methods in the BruteForceUtil class are interacting with the changes I made to the matching algorithm to ensure it didn't fall over if it got caught in a local minimum which stopped the original algorithm from finding the true best matches in a ton of cases.

So this will take a little thinking to figure out, but it is solvable.

@Tostino
Copy link
Collaborator

Tostino commented Feb 2, 2023

So, after checking this out more, it looks like that scoring algorithm changed out from under me when I was originally implementing Nbvcxz and I never noticed: dropbox/zxcvbn@5d7695e

Looks like this will take a bit of work to get scoring for brute force more in-line.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants