bjeavons / zxcvbn-php Goto Github PK

Realistic PHP password strength estimate library based on Zxcvbn JS

License: MIT License

PHP 95.27% Python 4.73%

zxcvbn-php's Introduction

Zxcvbn-PHP is a password strength estimator using pattern matching and minimum entropy calculation. Zxcvbn-PHP is based on the the Javascript zxcvbn project from Dropbox and @lowe. "zxcvbn" is bad password, just like "qwerty" and "123456".

zxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns.

Installation

The library can be installed with Composer by adding it as a dependency to your composer.json file.

Via the command line run: composer require bjeavons/zxcvbn-php

Or in your composer.json add

{
    "require": {
        "bjeavons/zxcvbn-php": "^1.0"
    }
}

Then run composer update on the command line and include the autoloader in your PHP scripts so that the ZxcvbnPhp class is available.

require_once 'vendor/autoload.php';

Usage

use ZxcvbnPhp\Zxcvbn;

$userData = [
  'Marco',
  '[email protected]'
];

$zxcvbn = new Zxcvbn();
$weak = $zxcvbn->passwordStrength('password', $userData);
echo $weak['score']; // will print 0

$strong = $zxcvbn->passwordStrength('correct horse battery staple');
echo $strong['score']; // will print 4

echo $weak['feedback']['warning']; // will print user-facing feedback on the password, set only when score <= 2
// $weak['feedback']['suggestions'] may contain user-facing suggestions to improve the score

Scores are integers from 0 to 4:

0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario

Acknowledgements

Thanks to:

@lowe for the original Javascript Zxcvbn
@Dreyer's port for reference for initial implementation
@mkopinsky for major updates to keep in sync with upstream scoring

zxcvbn-php's People

Contributors

Stargazers

Watchers

Forkers

mpezzi spuds mikulas kukupigs janroz andbicscadmedia leandemon wir kmhrussell17 amor-tsai lunnlew celery-payroll nzzjin bellovitello butlerblog masterzen boogermann dwolfhub dominicharvey01 paragonie-scott richardeyre alexandrpoddubsky crukorg forked-repo zone-eu gchauqui-bondacom m-adamski juliopotier sithlorddarthvader xon dersam salesfloor mkopinsky vladpavlovic pbiron micalm gaelg vipergts3 johnsaigle timwsuqld ipublicis 0pt1on egston vojtechbuba terah ahmadwaleed open-source-contributions stacyluk code-monkeys franmomu alexlisenkov gabrielvais wiz-halil cpt-sugiura purplesparkle saurindashadia hafidamirudin pierrehenrey ricferr plecavelier blackmage37 mioweb-cz kscheirer hannahtinkler cloudworx iw-rylee jinligen evanceit mieburungdara brenard namepros voku peip-mirror wicky4github ajunlonglive charlieqhicks ignatius-n zhuomingliang bearerpipelinetest pulzarraider apiida alanpoulain abdullahhafizh tushcode getmindspun 42deluxe gjcarrette ebelliveau pauldeft14 everypay getwebtools austinsonger harmonyphp artuselias

zxcvbn-php's Issues

Ability to change scorer constants in advance of Argon2i hashing becoming default

PHP 7.2 has added the ability to use the Argon2i hashing method as an alternative to Bcrypt, with PHP 7.3 planning to use Argon2i as the default hashing method.

Currently, Zxcvbn scores password crack times by assuming that Bcrypt has been used.

There are some changes that would help Zxcvbn deal with this new generation of hashing.

Easiest change would be allowing optional SINGLE_GUESS and NUM_ATTACKERS overrides to the score function that gets passed to calcCrackTime. If calcCrackTime sees the overrides, it'll use that info it'll use it instead of the SINGLE_GUESS and NUM_ATTACKERS constants.

The other option would be the ability to pass a hash method name to score like score($entropy, 'bcrypt') or score($entropy, 'argon2i') and it can pick the appropriate constants automatically.

Add azerty support for french users

Modify spatial match to support azerty keyboard for french users

Process for generating Adjacency Graphs

Hi,

Related to PR #63, I would be glad to see the following keyboard layouts:

BÉPO: https://bepo.fr/wiki/Accueil
AZERTY as per the norm NF Z71-300 : https://norme-azerty.fr/

But my knowledge for generating the adjacency_graphs.json file is very limited.
Can you tell my how to compute such file and help me for adding those layouts?
Or maybe someone could handle that?

Many thanks

Create asset build process

e.g. for compiling dictionary lists

Any chance to get the code to make the .json data files?

Hello, I would like to change the data-files to newer ones. Is there a chance to get the making-off files?
Thx for any hint in advance.

Other languages support

Hello!

Thank you for the great work with this library!

I'm wondering how to add a dictionary of common words (or common names) of another language than English? How should it be formatted? File format? How to implement?

Could additional language check be a new feature?

Readme shoud have proper version constraint

There should be ^0.1 instead of * in the installation instructions.

PHP 8 syntax error, unexpected token "match"

There is a conflict with a new PHP8 reserved word match
bjeavons/zxcvbn-php/src/Matchers/DateMatch.php

List/doc over what is min,. requirement to reach X score

List/doc over what is min,. requirement to reach X score.

So it's easier to choose which fits the best.

Handle feedback from @matt2000 review

Bruteforce isn't loaded in Matcher::getMatchers() so could have improved documentation of the relationship with other Match objects. Also, documentation on autoload is out of date.

L33tMatch.php defines $l33t array twice

Improve l33tEntropy() documentation in relation to its use with entropy of non-substituted characters.

Confirm test documentation is correct. e.g. DateTest.php "YearMatch will match this."

Uncaught Error: [] operator not supported for strings

PHP Fatal error: Uncaught Error: [] operator not supported for strings in
/vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55

any ideas how to fix this ?

I'm running PHP 7.1.0

I already try : $result['sub_display'][] = "{$password[$i]} -> $t";

but I keep getting the same error :(

Stack trace:
#0 //vendor/bjeavons/zxcvbn-php/src/Matcher.php(27): ZxcvbnPhp\Matchers\L33tMatch::match('T3H-1337-P@$$', Array)
#1 //vendor/bjeavons/zxcvbn-php/src/Zxcvbn.php(53): ZxcvbnPhp\Matcher->getMatches('T3H-1337-P@$$', Array)
#2 //vendor/phpauth/phpauth/Auth.php(187): ZxcvbnPhp\Zxcvbn->passwordStrength('T3H-1337-P@$$')
#3 /index.php(25): PHPAuth\Auth->register('[email protected]', 'T3H-1337-P@$$', 'T3H-1337-P@$$')
#4 {main}
  thrown in //vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 55

Documentation request!

Not a dealbreaker - but It'd be helpful if the readme identified the upper and lower range for score, or how to apply best practices to interpreting the result that the check provides.

Neat lib though, thank you!

32-bit compatibility

At least 2 tests are failing on 32-bit computer

There were 2 errors:
1) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialMirrorIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:50
2) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialPascalsTriangleIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:62
ERRORS!

New release

Hello,

A couple of weeks ago my changes were merged but are not in a new release yet.
Can you create a new release so I don't have to use dev-master?

1.0.0...master

zxcvbn-php scores lower than zxcvbn.js for dictionary pattern combinations

zxcvbn.js: 4.4.2
zxcvbn-php: 0.4.0

Password: helloworldhello

zxcvbn.js (score: 2)

{  
   "password":"helloworldhello",
   "guesses":2132808,
   "guesses_log10":6.328951761078288,
   "sequence":[  
      {  
         "pattern":"dictionary",
         "i":0,
         "j":9,
         "token":"helloworld",
         "matched_word":"helloworld",
         "rank":12788,
         "dictionary_name":"passwords",
         "reversed":false,
         "l33t":false,
         "base_guesses":12788,
         "uppercase_variations":1,
         "l33t_variations":1,
         "guesses":12788,
         "guesses_log10":4.10680262759965
      },
      {  
         "pattern":"dictionary",
         "i":10,
         "j":14,
         "token":"hello",
         "matched_word":"hello",
         "rank":83,
         "dictionary_name":"passwords",
         "reversed":false,
         "l33t":false,
         "base_guesses":83,
         "uppercase_variations":1,
         "l33t_variations":1,
         "guesses":83,
         "guesses_log10":1.919078092376074
      }
   ],
   "calc_time":4,
   "crack_times_seconds":{  
      "online_throttling_100_per_hour":76781088,
      "online_no_throttling_10_per_second":213280.8,
      "offline_slow_hashing_1e4_per_second":213.2808,
      "offline_fast_hashing_1e10_per_second":0.0002132808
   },
   "crack_times_display":{  
      "online_throttling_100_per_hour":"2 years",
      "online_no_throttling_10_per_second":"2 days",
      "offline_slow_hashing_1e4_per_second":"4 minutes",
      "offline_fast_hashing_1e10_per_second":"less than a second"
   },
   "score":2,
   "feedback":{  
      "warning":"",
      "suggestions":[  
         "Add another word or two. Uncommon words are better."
      ]
   }
}

zxcvbn-php (score: 0)

{  
   "crack_time":41.990400000000086,
   "calc_time":0.020023107528686523,
   "password":"helloworldhello",
   "entropy":19.679700005769252,
   "match_sequence":[  
      {  
         "dictionaryName":"passwords",
         "rank":54,
         "matchedWord":"hello",
         "password":"helloworldhello",
         "begin":0,
         "end":4,
         "token":"hello",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      },
      {  
         "dictionaryName":"english",
         "rank":288,
         "matchedWord":"world",
         "password":"helloworldhello",
         "begin":5,
         "end":9,
         "token":"world",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      },
      {  
         "dictionaryName":"passwords",
         "rank":54,
         "matchedWord":"hello",
         "password":"helloworldhello",
         "begin":10,
         "end":14,
         "token":"hello",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      }
   ],
   "score":0
}

Password: hellodoublestatus

zxcvbn.js (score: 3)

{  
   "password":"hellodoublestatus",
   "guesses":399869704,
   "guesses_log10":8.601918501197677,
   "sequence":[  
      {  
         "pattern":"dictionary",
         "i":0,
         "j":4,
         "token":"hello",
         "matched_word":"hello",
         "rank":83,
         "dictionary_name":"passwords",
         "reversed":false,
         "l33t":false,
         "base_guesses":83,
         "uppercase_variations":1,
         "l33t_variations":1,
         "guesses":83,
         "guesses_log10":1.919078092376074
      },
      {  
         "pattern":"dictionary",
         "i":5,
         "j":10,
         "token":"double",
         "matched_word":"double",
         "rank":834,
         "dictionary_name":"english_wikipedia",
         "reversed":false,
         "l33t":false,
         "base_guesses":834,
         "uppercase_variations":1,
         "l33t_variations":1,
         "guesses":834,
         "guesses_log10":2.9211660506377384
      },
      {  
         "pattern":"dictionary",
         "i":11,
         "j":16,
         "token":"status",
         "matched_word":"status",
         "rank":722,
         "dictionary_name":"english_wikipedia",
         "reversed":false,
         "l33t":false,
         "base_guesses":722,
         "uppercase_variations":1,
         "l33t_variations":1,
         "guesses":722,
         "guesses_log10":2.8585371975696385
      }
   ],
   "calc_time":4,
   "crack_times_seconds":{  
      "online_throttling_100_per_hour":14395309344,
      "online_no_throttling_10_per_second":39986970.4,
      "offline_slow_hashing_1e4_per_second":39986.9704,
      "offline_fast_hashing_1e10_per_second":0.0399869704
   },
   "crack_times_display":{  
      "online_throttling_100_per_hour":"centuries",
      "online_no_throttling_10_per_second":"1 year",
      "offline_slow_hashing_1e4_per_second":"11 hours",
      "offline_fast_hashing_1e10_per_second":"less than a second"
   },
   "score":3,
   "feedback":{  
      "warning":"",
      "suggestions":[  

      ]
   }
}

zxcvbn-php (score: 1)

{  
   "crack_time":8618.50259999999,
   "calc_time":0.020722150802612305,
   "password":"hellodoublestatus",
   "entropy":27.360933897886632,
   "match_sequence":[  
      {  
         "dictionaryName":"passwords",
         "rank":54,
         "matchedWord":"hello",
         "password":"hellodoublestatus",
         "begin":0,
         "end":4,
         "token":"hello",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      },
      {  
         "dictionaryName":"english",
         "rank":1006,
         "matchedWord":"double",
         "password":"hellodoublestatus",
         "begin":5,
         "end":10,
         "token":"double",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      },
      {  
         "dictionaryName":"english",
         "rank":3173,
         "matchedWord":"status",
         "password":"hellodoublestatus",
         "begin":11,
         "end":16,
         "token":"status",
         "pattern":"dictionary",
         "entropy":null,
         "cardinality":null
      }
   ],
   "score":1
}

Add warning code to response array to allow mapping to custom feedback strings

As a developer
I want to be able to identify the reason for a low score using a concise string which will never change
So that I can communicate the feedback to my users in way which is more consistent with my application/brand tone of voice/localisation requirements

If a consistent response code was part of the response array, this would allow developers to map this to localisation maps and create validation messages which flow in a way that better suits their application. This is different to the feedback warnings currently returned which aren't guaranteed to not change in style/content (and so can't be mapped directly without risking breaking functionality with future updates).

Example:

[
  'password' =>'hannah2021',
  'guesses' => 2.13811968952E+20,
  'guesses_log10' =>20.330032012867,
  'sequence' => [...],
  'crack_times_seconds' => [...],
  'crack_times_display' => [...],
  'score' => 4,
  'feedback' => [
    'warning' => 'Dates are often easy to guess',
    'suggestion' => [...],
    'code' => 'guessable_dates',
  ],
  'calc_time' => 0.0208580493927,
]

Which would allow mapping to languages:

translate(sprintf('en.%s', $response['feedback']['code']));

Or mapping to custom messages:

private $map = [
    'guessable_dates' => 'Increase the complexity of your password or consider omitting dates from it.',
];


public function message()
{
    return $this->map[$response['feedback']['code']];
}

PHP Warning: foreach() argument must be of type array|object, null given

I periodically log a PHP warning being generated by the L33tMatch matcher. Unfortunately the input being passed in that triggers the warning isn't logged (given its use as a password) but I was able to walk through the debugger and at least catch that the $sub array is being set to null when using the default constructor for Zxcvbn where it handles creating all of its own matchers internally.

PHP version: 8.0.8
Error message: foreach() argument must be of type array|object, null given in .../vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 214

It's attempting to do a foreach on a null $sub variable which by default should be an empty array but is being set to null in the constructor on line 93:

$this->sub = isset($params['sub']) ? $params['sub'] : null;

A quick screenshot of the debugger state after that line executes:

I'm happy to submit a pull request with a simple fix of replacing the null with [] but wasn't sure if that would break anything.

Password score from JavaScript ist not the same

Hi, the password score of JavaScript is not the same as in PHP.
I guess that should not be like that?

PHP

array:6 [
  "password" => "1111"
  "score" => 0
]
array:6 [
  "password" => "Monday"
  "score" => 0
]
array:6 [
  "password" => "Mond!ay"
  "score" => 2
]

JavaScript

{
  "password": "111",
  "score": 0
}
{
  "password": "Monday",
  "score": 1
}
{
  "password": "Mond!ay",
  "score": 2
}

Add ability to block custom words

We would like to be able to blacklist custom words, such as the name of the website on which this is being used.

Target class [App\Http\Livewire\ZxcvbnPhp\Zxcvbn] does not exist.

I'm trying to using ZxcvbnPhp\Zxcvbn in my livewire component I installed the all requirements but it get me this error :

Target class [App\Http\Livewire\ZxcvbnPhp\Zxcvbn] does not exist.

Implement features added to the original version

Will those features that are added the last 4 years to the original version also be added to this one?

Why match_sequence gives back an Object not an Array?

match_sequence!=Array

$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength('asdf', $userData);
echo "score_1 : ".$strength['score'].RT;
// will print 0
echo RT.RT;var_dump($strength); echo RT.RT;

gives:

array(6) { ["crack_time"]=> float(0.00865) ["calc_time"]=> float(0.0287201404572) ["password"]=> string(4) "asdf" ["entropy"]=> float(7.43462822764) ["match_sequence"]=> array(1) { [0]=> object(ZxcvbnPhp\Matchers\DictionaryMatch)#7 (10) { ["dictionaryName"]=> string(9) "passwords" ["rank"]=> int(173) ["matchedWord"]=> string(4) "asdf" ["password"]=> string(4) "asdf" ["begin"]=> int(0) ["end"]=> int(3) ["token"]=> string(4) "asdf" ["pattern"]=> string(10) "dictionary" ["entropy"]=> NULL ["cardinality"]=> NULL } } ["score"]=> int(0) }

array_unique error

ErrorException: 2: array_unique() expects parameter 1 to be array, bool given in

... /vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php(138): array_unique(false)

PHP 7.1 Issue: [] operator not supported for strings

When using the library with PHP 7.1, I get this error:
PHP Fatal error: Uncaught Error: [] operator not supported for strings in /home/webuser/websites/config.schokokeks.org/htdocs/vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55

The line ist:
$result['sub_display'][] = "$password[$i] -> $t";

PHP 7.1 expands the in-string-variable as $password[$i] which is not allowed for strings.

Return value of factorial should be int

Uncaught Exception TypeError: "Return value of ZxcvbnPhp\Scorer::factorial() must be of the type int, float returned" at /zxcvbn-php/src/Scorer.php line 272

Version 1.3.1

Heads up; PHP7 nightly

Hi! I'm using your package as a dependency for olssonm/l5-zxcvbn.

I just updated it to include v0.2.0 and some other fixes. When I ran the tests in Travis upon the PR, I noticed that zxcvbn-php caused an error in PHP 7 nightly. Older versions (including PHP 7) passed flawlessly.

Now, I haven't found anything that indicates that the nightly version has changed anything on how arrays in strings are handled, might just be a bug in the nightly version that will be patched later on. Just thought that I should give you a heads up if this causes any issues in the future.

The error is thrown at https://github.com/bjeavons/zxcvbn-php/blob/master/src/Matchers/L33tMatch.php#L55

The error:
Error: [] operator not supported for strings

See https://travis-ci.org/olssonm/l5-zxcvbn/jobs/173946497 for the complete test suite.

Keep up the good work!

zxcvbn-php doesn't match js results for sequences

E.g.:

Password: XYZ123

Here the PHP version overestimates the entropy, mistaking the distinct sequences "XYZ" and "123" for "XYZ12" and "3".

PHP:

{
    "crack_time":23.4,
    "calc_time":0.070505857467651,
    "password":"XYZ123",
    "entropy":13.192292814471,
    "match_sequence": [ {
            "sequenceName":"upper",
            "sequenceSpace":26,
            "ascending":true,
            "password":"XYZ123",
            "begin":0,"end":4,
            "token":"XYZ12",
            "pattern":"sequence",
            "entropy":null,
            "cardinality":null
        }, {
            "password":"XYZ123",
            "begin":5,"end":5,
            "token":"3",
            "pattern":"bruteforce",
            "entropy":5.1699250014423,
            "cardinality":36
        } ],
    "score":0
}

JS:

{
    "password":"XYZ123",
    "entropy":9.87,
    "match_sequence":[ {
        "pattern":"sequence",
        "i":0,"j":2,
        "token":"XYZ",
        "sequence_name":"upper",
        "sequence_space":26,
        "ascending":true,
        "entropy":7.285402218862249
    }, {
        "pattern":"sequence",
        "i":3,"j":5,
        "token":"123",
        "sequence_name":"digits",
        "sequence_space":11,
        "ascending":true,
        "entropy":2.584962500721156
    } ],
    "crack_time":0.047,
    "crack_time_display":"instant",
    "score":0,
    "calc_time":2
}

Password: abc213456de

Here the PHP version considers the entropy lower, likely a result of mistakenly combining the distinct tokens "abc" and "de" into a single token (it then swallows "21" and repeats "de").

PHP:

{
    "crack_time":1296,
    "calc_time":0.075468063354492,
    "password":"abc213456de",
    "entropy":18.983706192659,
    "match_sequence": [ {
        "sequenceName":"lower",
        "sequenceSpace":26,
        "ascending":true,
        "password":"abc213456de",
        "begin":0,"end":4,
        "token":"abcde",
        "pattern":"sequence",
        "entropy":null,
        "cardinality":null
    }, {
        "sequenceName":"digits",
        "sequenceSpace":10,
        "ascending":true,
        "password":"abc213456de",
        "begin":5,"end":8,
        "token":"3456",
        "pattern":"sequence",
        "entropy":null,
        "cardinality":null
    }, {
        "password":"abc213456de",
        "begin":9,"end":10,
        "token":"de",
        "pattern":"bruteforce",
        "entropy":10.339850002885,
        "cardinality":36
    } ],
    "score":1
}

JS:

{
    "password":"abc213456de",
    "entropy":25.417,
    "match_sequence": [ {
        "pattern":"sequence",
        "i":0,"j":2,
        "token":"abc",
        "sequence_name":"lower",
        "sequence_space":26,
        "ascending":true,
        "entropy":2.584962500721156
    }, {
        "pattern":"bruteforce",
        "i":3,"j":3,
        "token":"2",
        "entropy":5.169925001442312,
        "cardinality":36
    }, {
        "pattern":"dictionary",
        "i":4,"j":4,
        "token":"1",
        "matched_word":"i",
        "rank":2,
        "dictionary_name":"english",
        "l33t":true,
        "sub":{"1":"i"},
        "sub_display":"1 -> i",
        "base_entropy":1,
        "uppercase_entropy":0,
        "l33t_entropy":1,
        "entropy":2
    }, {
        "pattern":"sequence",
        "i":5,"j":8,
        "token":"3456",
        "sequence_name":"digits",
        "sequence_space":11,
        "ascending":true,
        "entropy":5.321928094887363
    }, {
        "pattern":"bruteforce",
        "i":9,"j":10,
        "token":"de",
        "entropy":10.339850002884624,
        "cardinality":36
    } ],
    "crack_time":2239.488,
    "crack_time_display":"39 minutes",
    "score":1,
    "calc_time":1
}

extremely long passwords cause factorial in scorer to return a float and throw error

Using the attached test file a password larger than 219 characters and smaller than 670 characters causes the passwordStrength function to throw an error

ZxcvbnPhp\\Scorer::factorial(): Return value must be of type int, float returned

to run test test use the attached file
php roc-554-password-complexity-open-source.php.txt > test.stdout.txt

Running progress of the test will be seen on the stderr.

Output of the test file, before and after the obvious fix, including a diff shows that changing int to float works fine.
Obviously there is a limit where the runtime will be too long and/or the factorial will return INF or NAN or something like that.

roc-554-password-complexity-open-source.php.txt
roc-554-password-complexity-open-source.issue.1.txt
roc-554-password-complexity-open-source.issue.2.txt
roc-554-password-complexity-open-source.issue.diff.txt

Add 32-bit platforms to build matrix on GitHub

This can be assigned to me.

Correct usage in WordPress

WordPress uses Dropbox's Zxcvbn Javascript lib for its strength meter. I'm forcing password strength related to that meter and need a server side version of the same lib so here I am. To get the Zxcvbn strength of a password in a WordPress plugin I am doing the following. It seems like there should be a better way but I'm unable to install the document in the way explained in the documentation

<?php

require 'src/ScorerInterface.php';
require 'src/Scorer.php';
require 'src/Searcher.php';
require 'src/Matcher.php';
require 'src/Zxcvbn.php';
require 'src/Matchers/MatchInterface.php';
`require 'src/Matchers/Match.php';
require 'src/Matchers/DigitMatch.php';
require 'src/Matchers/DictionaryMatch.php';
require 'src/Matchers/SequenceMatch.php';
require 'src/Matchers/Bruteforce.php';
require 'src/Matchers/YearMatch.php';
require 'src/Matchers/SpatialMatch.php';
require 'src/Matchers/RepeatMatch.php';
require 'src/Matchers/L33tMatch.php';
require 'src/Matchers/DateMatch.php';

$new = new \ZxcvbnPhp\Zxcvbn();
print_r($new->passwordStrength('T#\$£9'));

log() expects parameter to be double, string given

When I started to pass in my user input, I'm getting the following error

log() expects parameter to be double, string given

Here is the stacktrace

log() expects parameter 1 to be double, string given
 /project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Matchers/Match.php:202
 /project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Matchers/DictionaryMatch.php:68
 /project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Searcher.php:47
 /project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Zxcvbn.php:56

This is the code in Match.php:

protected function log($number)
    {
        echo $number;
        return log($number, 2);
    }

My user data array looks like this:

Array
(
    [0] => SteveEdson
    [1] => Steve Edson
)

But the value of the $number variable is 559120719120713561135611SteveEdson

Have I done anything wrong, or is this a bug?

My full code is

$zxcvbn = new Zxcvbn();

$strength = $zxcvbn->passwordStrength($password, [
    $username,
    $full_name
]);

Thanks.

PHP 7.1.3: error "[] operator not supported for strings"

Since PHP 7.1.3: this code doesn't work:

$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength("secret");

Error message: "[] operator not supported for strings"

Trace:
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matchers\L33tMatch.php:55
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matcher.php:27
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Zxcvbn.php:53

Implement userInputs

Zxcvbn#passwordStrength $userInputs is not yet used

[feature] Add Timeout for long execution

Hello,

I'm scanning with this lib all my passwords. But tome of them are token/keys, which are quite long.
Analyze them can take sometimes more than 30min.

Could you add timeout parameter? or a check for length ?

Thanks a lot.

Missing result.feedback from the original version

Hello, any idea how to implement a result.feedback?
Thx for any hint in advance.

Symfony Bundle Reference

Hello maintainers,

I've been working on a symfony bundle that enables localization and tagging matchers in symfony.
How do you feel about referencing https://github.com/createnl/zxcvbn-bundle in the readme for people that use symfony?

add static analysis to the project

It will be useful to add psalm\phpstan to the project to make it more strict.

[feature] Dictionnary location

Hello,

Dictionary location is hard-coded in code.
As I'm using composer to install/update, I can't update it.
Could you please allow a parameter to be able to specify dictionary location?

thanks

score 0 but no warning

I don't know if this is a bug or my misunderstanding of the comment in the example, 'echo $weak['feedback']['warning']; // will print user-facing feedback on the password, set only when score <= 2', but I tested with a dictionary word and got back a score of 0 with no warning set:

'''
Feb 18 11:43:13 admin php: [password] => everything
...
Feb 18 11:43:13 admin php: [sequence] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [0] => ZxcvbnPhp\Matchers\DictionaryMatch Object
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [pattern] => dictionary
Feb 18 11:43:13 admin php: [dictionaryName] => us_tv_and_film
Feb 18 11:43:13 admin php: [rank] => 123
Feb 18 11:43:13 admin php: [matchedWord] => everything
Feb 18 11:43:13 admin php: [reversed] =>
Feb 18 11:43:13 admin php: [l33t] =>
Feb 18 11:43:13 admin php: [password] => everything
Feb 18 11:43:13 admin php: [begin] => 0
Feb 18 11:43:13 admin php: [end] => 9
Feb 18 11:43:13 admin php: [token] => everything
Feb 18 11:43:13 admin php: )
Feb 18 11:43:13 admin php:
Feb 18 11:43:13 admin php: )
...
Feb 18 11:43:13 admin php: [score] => 0
Feb 18 11:43:13 admin php: [feedback] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [warning] =>
Feb 18 11:43:13 admin php: [suggestions] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [0] => Add another word or two. Uncommon words are better.
Feb 18 11:43:13 admin php: )
Feb 18 11:43:13 admin php:
Feb 18 11:43:13 admin php: )
'''

In our project I made the error to check if feedback warning was set as an indication of a score <= 2, so this allowed bypassing the dictionary check - clearly my error, but maybe is a condition that wasn't supposed to happen?

Discrepancy with original Dropbox JS library

The phrase nothingtoshare scores a 3 on the JS library (can check with https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html). However, this version gives a score of 0:

$strength = {array} [6]
 crack_time = 18.85575
 calc_time = 0.031842947006226
 password = "nothingtoshare"
 entropy = 18.524645010213
 match_sequence = {array} [3]
 score = 0

Similarly n0th1ngt0sh@re also scores 3, but only a 1 here:

$strength = {array} [6]
 crack_time = 509.10525
 calc_time = 0.059408903121948
 password = "n0th1ngt0sh@re"
 entropy = 23.279532512376
 match_sequence = {array} [3]
  0 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
   sub = {array} [3]
   subDisplay = "0 -> o, 1 -> i, 0 -> o, @ -> a"
   l33t = true
   dictionaryName = "english"
   rank = 155
   matchedWord = "nothing"
   password = "n0th1ngt0sh@re"
   begin = 0
   end = 6
   token = "n0th1ng"
   pattern = "dictionary"
   entropy = null
   cardinality = null
  1 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
  2 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
 score = 1

Not sure if the issue is here or with the DropBox lib.

Ability to disable DictionaryMatch as customization

Hi,

Would like to know if we can disable Dictionary Match as an optional customization?
I tried disabling it by commenting the invocation of Matchers\DictionaryMatch::class, in getMatchers() function of Matcher.php file.
Just wanted to know if there's another option or this is the only one I could use here?

Note: I don't want to alter contents of ranked_frequency_lists.json file.

DOS Exploit

Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

https://github.com/twosixlabs/acsploit
GoSimpleLLC/nbvcxz#60

I'd take a look at some of the work another implementation did to improve things: formigarafa/zxcvbn-rb#7

bjeavons / zxcvbn-php Goto Github PK

zxcvbn-php's Introduction

Installation

Usage

Acknowledgements

zxcvbn-php's People

Contributors

Stargazers

Watchers

Forkers

zxcvbn-php's Issues

Password: helloworldhello

Password: hellodoublestatus

Password: XYZ123

Password: abc213456de

Recommend Projects

Recommend Topics

Recommend Org