Add ability to run in fixed-time

[Tostino]

We should have the ability to run the estimate method within a fixed timeframe.

If the algorithms within fail to calculate within the specified timeframe, we should still return a Result that contains a Match that specifies that this was timed out and the password will be rejected for that reason.

This should allow safer use within backend systems regardless of algorithmic complexity vulnerabilities existing with certain inputs.

[MrWook]

Shouldn't it return a full score for the password if the password strength check takes too long to calculate the strength of the password ?
Shouldn't this password be pretty strong?

[Tostino]

It could be, or it could be a payload that is intended to exploit the algorithm in a complexity attack. I was erring on the side of caution here, but it could be argued either way.

[MrWook]

If the payload is intended to exploit the algorithm wouldn't it be a safe password too?
Something like

const zxcvbn = require("zxcvbn");
attackStr = '\x00\x00' + ('\x00'.repeat(54773)) + '\n'
zxcvbn(attackStr)

From dropbox/zxcvbn#327 would i consider safe with 54775 characters and i guess others are also more about large strings than short ones