1. 8

Git repository: https://github.com/dropbox/zxcvbn

  1. 3

    I have to write a wrapper for the commandline utility, lest I forget the name.

    1. 2

      We find 1.5 MB of compressed storage is sufficient to accurately estimate the best-known guessing attacks up to 10⁵ guesses, or 10⁴ and 10³ guesses, respectively, given 245 kB and 29 kB.

      Is it just me or does this sound like a very low upper bound? 10⁵ guesses is only about 16.6 bits of entropy in a password, which seems to me feels like it ought to be really easy to crack even if you are using a proper password hashing function.

      1. 2

        It depends on what the distribution of ‘weak passwords’ looks like. If 99.99% of “weak” passwords exist in that 16.6 bit space then this is more than sufficient and at low enough cost to be practical. They’re also trying to beat LUDS, so the goal is just “be better”, not “be perfect”.

        My guess is that passwords tend to be either very weak or very strong, with a wide gap in between. As in people just putting “blahblah123” to get through the sign up flow or people using a password manager. Also, a password could be highly entropic but also terrible - if it’s reused and exists in a password cracking dictionary.

        edit: Actually, the paper does a better job detailing their motivations.

      2. 2

        That project is abandonware. The community has moved on to https://github.com/zxcvbn-ts/zxcvbn.

        1. 1

          Thanks for the link!