bjeavons / zxcvbn-php Goto Github PK
View Code? Open in Web Editor NEWRealistic PHP password strength estimate library based on Zxcvbn JS
License: MIT License
Realistic PHP password strength estimate library based on Zxcvbn JS
License: MIT License
There is a conflict with a new PHP8 reserved word match
bjeavons/zxcvbn-php/src/Matchers/DateMatch.php
We would like to be able to blacklist custom words, such as the name of the website on which this is being used.
Using the attached test file a password larger than 219 characters and smaller than 670 characters causes the passwordStrength function to throw an error
ZxcvbnPhp\\Scorer::factorial(): Return value must be of type int, float returned
to run test test use the attached file
php roc-554-password-complexity-open-source.php.txt > test.stdout.txt
Running progress of the test will be seen on the stderr.
Output of the test file, before and after the obvious fix, including a diff shows that changing int to float works fine.
Obviously there is a limit where the runtime will be too long and/or the factorial will return INF or NAN or something like that.
roc-554-password-complexity-open-source.php.txt
roc-554-password-complexity-open-source.issue.1.txt
roc-554-password-complexity-open-source.issue.2.txt
roc-554-password-complexity-open-source.issue.diff.txt
Hi! I'm using your package as a dependency for olssonm/l5-zxcvbn.
I just updated it to include v0.2.0 and some other fixes. When I ran the tests in Travis upon the PR, I noticed that zxcvbn-php caused an error in PHP 7 nightly. Older versions (including PHP 7) passed flawlessly.
Now, I haven't found anything that indicates that the nightly version has changed anything on how arrays in strings are handled, might just be a bug in the nightly version that will be patched later on. Just thought that I should give you a heads up if this causes any issues in the future.
The error is thrown at https://github.com/bjeavons/zxcvbn-php/blob/master/src/Matchers/L33tMatch.php#L55
The error:
Error: [] operator not supported for strings
See https://travis-ci.org/olssonm/l5-zxcvbn/jobs/173946497 for the complete test suite.
Keep up the good work!
WordPress uses Dropbox's Zxcvbn Javascript lib for its strength meter. I'm forcing password strength related to that meter and need a server side version of the same lib so here I am. To get the Zxcvbn strength of a password in a WordPress plugin I am doing the following. It seems like there should be a better way but I'm unable to install the document in the way explained in the documentation
<?php
require 'src/ScorerInterface.php';
require 'src/Scorer.php';
require 'src/Searcher.php';
require 'src/Matcher.php';
require 'src/Zxcvbn.php';
require 'src/Matchers/MatchInterface.php';
`require 'src/Matchers/Match.php';
require 'src/Matchers/DigitMatch.php';
require 'src/Matchers/DictionaryMatch.php';
require 'src/Matchers/SequenceMatch.php';
require 'src/Matchers/Bruteforce.php';
require 'src/Matchers/YearMatch.php';
require 'src/Matchers/SpatialMatch.php';
require 'src/Matchers/RepeatMatch.php';
require 'src/Matchers/L33tMatch.php';
require 'src/Matchers/DateMatch.php';
$new = new \ZxcvbnPhp\Zxcvbn();
print_r($new->passwordStrength('T#\$£9'));
There should be ^0.1
instead of *
in the installation instructions.
e.g. for compiling dictionary lists
The phrase nothingtoshare
scores a 3 on the JS library (can check with https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html). However, this version gives a score of 0:
$strength = {array} [6]
crack_time = 18.85575
calc_time = 0.031842947006226
password = "nothingtoshare"
entropy = 18.524645010213
match_sequence = {array} [3]
score = 0
Similarly n0th1ngt0sh@re
also scores 3, but only a 1 here:
$strength = {array} [6]
crack_time = 509.10525
calc_time = 0.059408903121948
password = "n0th1ngt0sh@re"
entropy = 23.279532512376
match_sequence = {array} [3]
0 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
sub = {array} [3]
subDisplay = "0 -> o, 1 -> i, 0 -> o, @ -> a"
l33t = true
dictionaryName = "english"
rank = 155
matchedWord = "nothing"
password = "n0th1ngt0sh@re"
begin = 0
end = 6
token = "n0th1ng"
pattern = "dictionary"
entropy = null
cardinality = null
1 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
2 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
score = 1
Not sure if the issue is here or with the DropBox lib.
Zxcvbn#passwordStrength $userInputs is not yet used
Hello maintainers,
I've been working on a symfony bundle that enables localization and tagging matchers in symfony.
How do you feel about referencing https://github.com/createnl/zxcvbn-bundle in the readme for people that use symfony?
This can be assigned to me.
When I started to pass in my user input, I'm getting the following error
log() expects parameter to be double, string given
Here is the stacktrace
log() expects parameter 1 to be double, string given
/project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Matchers/Match.php:202
/project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Matchers/DictionaryMatch.php:68
/project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Searcher.php:47
/project/vendor/bjeavons/zxcvbn-php/src/ZxcvbnPhp/Zxcvbn.php:56
This is the code in Match.php:
protected function log($number)
{
echo $number;
return log($number, 2);
}
My user data array looks like this:
Array
(
[0] => SteveEdson
[1] => Steve Edson
)
But the value of the $number
variable is 559120719120713561135611SteveEdson
Have I done anything wrong, or is this a bug?
My full code is
$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength($password, [
$username,
$full_name
]);
Thanks.
Bruteforce isn't loaded in Matcher::getMatchers() so could have improved documentation of the relationship with other Match objects. Also, documentation on autoload is out of date.
L33tMatch.php defines $l33t array twice
Improve l33tEntropy() documentation in relation to its use with entropy of non-substituted characters.
Confirm test documentation is correct. e.g. DateTest.php "YearMatch will match this."
Hi,
Related to PR #63, I would be glad to see the following keyboard layouts:
But my knowledge for generating the adjacency_graphs.json
file is very limited.
Can you tell my how to compute such file and help me for adding those layouts?
Or maybe someone could handle that?
Many thanks
Uncaught Exception TypeError: "Return value of ZxcvbnPhp\Scorer::factorial() must be of the type int, float returned" at /zxcvbn-php/src/Scorer.php line 272
Version 1.3.1
Modify spatial match to support azerty keyboard for french users
At least 2 tests are failing on 32-bit computer
There were 2 errors:
1) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialMirrorIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:50
2) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialPascalsTriangleIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:62
ERRORS!
PHP 7.2 has added the ability to use the Argon2i hashing method as an alternative to Bcrypt, with PHP 7.3 planning to use Argon2i as the default hashing method.
Currently, Zxcvbn scores password crack times by assuming that Bcrypt has been used.
There are some changes that would help Zxcvbn deal with this new generation of hashing.
Easiest change would be allowing optional SINGLE_GUESS and NUM_ATTACKERS overrides to the score function that gets passed to calcCrackTime. If calcCrackTime sees the overrides, it'll use that info it'll use it instead of the SINGLE_GUESS and NUM_ATTACKERS constants.
The other option would be the ability to pass a hash method name to score
like score($entropy, 'bcrypt')
or score($entropy, 'argon2i')
and it can pick the appropriate constants automatically.
As a developer
I want to be able to identify the reason for a low score using a concise string which will never change
So that I can communicate the feedback to my users in way which is more consistent with my application/brand tone of voice/localisation requirements
If a consistent response code was part of the response array, this would allow developers to map this to localisation maps and create validation messages which flow in a way that better suits their application. This is different to the feedback warnings currently returned which aren't guaranteed to not change in style/content (and so can't be mapped directly without risking breaking functionality with future updates).
Example:
[
'password' =>'hannah2021',
'guesses' => 2.13811968952E+20,
'guesses_log10' =>20.330032012867,
'sequence' => [...],
'crack_times_seconds' => [...],
'crack_times_display' => [...],
'score' => 4,
'feedback' => [
'warning' => 'Dates are often easy to guess',
'suggestion' => [...],
'code' => 'guessable_dates',
],
'calc_time' => 0.0208580493927,
]
Which would allow mapping to languages:
translate(sprintf('en.%s', $response['feedback']['code']));
Or mapping to custom messages:
private $map = [
'guessable_dates' => 'Increase the complexity of your password or consider omitting dates from it.',
];
public function message()
{
return $this->map[$response['feedback']['code']];
}
E.g.:
Here the PHP version overestimates the entropy, mistaking the distinct sequences "XYZ" and "123" for "XYZ12" and "3".
PHP:
{
"crack_time":23.4,
"calc_time":0.070505857467651,
"password":"XYZ123",
"entropy":13.192292814471,
"match_sequence": [ {
"sequenceName":"upper",
"sequenceSpace":26,
"ascending":true,
"password":"XYZ123",
"begin":0,"end":4,
"token":"XYZ12",
"pattern":"sequence",
"entropy":null,
"cardinality":null
}, {
"password":"XYZ123",
"begin":5,"end":5,
"token":"3",
"pattern":"bruteforce",
"entropy":5.1699250014423,
"cardinality":36
} ],
"score":0
}
JS:
{
"password":"XYZ123",
"entropy":9.87,
"match_sequence":[ {
"pattern":"sequence",
"i":0,"j":2,
"token":"XYZ",
"sequence_name":"upper",
"sequence_space":26,
"ascending":true,
"entropy":7.285402218862249
}, {
"pattern":"sequence",
"i":3,"j":5,
"token":"123",
"sequence_name":"digits",
"sequence_space":11,
"ascending":true,
"entropy":2.584962500721156
} ],
"crack_time":0.047,
"crack_time_display":"instant",
"score":0,
"calc_time":2
}
Here the PHP version considers the entropy lower, likely a result of mistakenly combining the distinct tokens "abc" and "de" into a single token (it then swallows "21" and repeats "de").
PHP:
{
"crack_time":1296,
"calc_time":0.075468063354492,
"password":"abc213456de",
"entropy":18.983706192659,
"match_sequence": [ {
"sequenceName":"lower",
"sequenceSpace":26,
"ascending":true,
"password":"abc213456de",
"begin":0,"end":4,
"token":"abcde",
"pattern":"sequence",
"entropy":null,
"cardinality":null
}, {
"sequenceName":"digits",
"sequenceSpace":10,
"ascending":true,
"password":"abc213456de",
"begin":5,"end":8,
"token":"3456",
"pattern":"sequence",
"entropy":null,
"cardinality":null
}, {
"password":"abc213456de",
"begin":9,"end":10,
"token":"de",
"pattern":"bruteforce",
"entropy":10.339850002885,
"cardinality":36
} ],
"score":1
}
JS:
{
"password":"abc213456de",
"entropy":25.417,
"match_sequence": [ {
"pattern":"sequence",
"i":0,"j":2,
"token":"abc",
"sequence_name":"lower",
"sequence_space":26,
"ascending":true,
"entropy":2.584962500721156
}, {
"pattern":"bruteforce",
"i":3,"j":3,
"token":"2",
"entropy":5.169925001442312,
"cardinality":36
}, {
"pattern":"dictionary",
"i":4,"j":4,
"token":"1",
"matched_word":"i",
"rank":2,
"dictionary_name":"english",
"l33t":true,
"sub":{"1":"i"},
"sub_display":"1 -> i",
"base_entropy":1,
"uppercase_entropy":0,
"l33t_entropy":1,
"entropy":2
}, {
"pattern":"sequence",
"i":5,"j":8,
"token":"3456",
"sequence_name":"digits",
"sequence_space":11,
"ascending":true,
"entropy":5.321928094887363
}, {
"pattern":"bruteforce",
"i":9,"j":10,
"token":"de",
"entropy":10.339850002884624,
"cardinality":36
} ],
"crack_time":2239.488,
"crack_time_display":"39 minutes",
"score":1,
"calc_time":1
}
Will those features that are added the last 4 years to the original version also be added to this one?
zxcvbn.js: 4.4.2
zxcvbn-php: 0.4.0
zxcvbn.js (score: 2)
{
"password":"helloworldhello",
"guesses":2132808,
"guesses_log10":6.328951761078288,
"sequence":[
{
"pattern":"dictionary",
"i":0,
"j":9,
"token":"helloworld",
"matched_word":"helloworld",
"rank":12788,
"dictionary_name":"passwords",
"reversed":false,
"l33t":false,
"base_guesses":12788,
"uppercase_variations":1,
"l33t_variations":1,
"guesses":12788,
"guesses_log10":4.10680262759965
},
{
"pattern":"dictionary",
"i":10,
"j":14,
"token":"hello",
"matched_word":"hello",
"rank":83,
"dictionary_name":"passwords",
"reversed":false,
"l33t":false,
"base_guesses":83,
"uppercase_variations":1,
"l33t_variations":1,
"guesses":83,
"guesses_log10":1.919078092376074
}
],
"calc_time":4,
"crack_times_seconds":{
"online_throttling_100_per_hour":76781088,
"online_no_throttling_10_per_second":213280.8,
"offline_slow_hashing_1e4_per_second":213.2808,
"offline_fast_hashing_1e10_per_second":0.0002132808
},
"crack_times_display":{
"online_throttling_100_per_hour":"2 years",
"online_no_throttling_10_per_second":"2 days",
"offline_slow_hashing_1e4_per_second":"4 minutes",
"offline_fast_hashing_1e10_per_second":"less than a second"
},
"score":2,
"feedback":{
"warning":"",
"suggestions":[
"Add another word or two. Uncommon words are better."
]
}
}
zxcvbn-php (score: 0)
{
"crack_time":41.990400000000086,
"calc_time":0.020023107528686523,
"password":"helloworldhello",
"entropy":19.679700005769252,
"match_sequence":[
{
"dictionaryName":"passwords",
"rank":54,
"matchedWord":"hello",
"password":"helloworldhello",
"begin":0,
"end":4,
"token":"hello",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
},
{
"dictionaryName":"english",
"rank":288,
"matchedWord":"world",
"password":"helloworldhello",
"begin":5,
"end":9,
"token":"world",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
},
{
"dictionaryName":"passwords",
"rank":54,
"matchedWord":"hello",
"password":"helloworldhello",
"begin":10,
"end":14,
"token":"hello",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
}
],
"score":0
}
zxcvbn.js (score: 3)
{
"password":"hellodoublestatus",
"guesses":399869704,
"guesses_log10":8.601918501197677,
"sequence":[
{
"pattern":"dictionary",
"i":0,
"j":4,
"token":"hello",
"matched_word":"hello",
"rank":83,
"dictionary_name":"passwords",
"reversed":false,
"l33t":false,
"base_guesses":83,
"uppercase_variations":1,
"l33t_variations":1,
"guesses":83,
"guesses_log10":1.919078092376074
},
{
"pattern":"dictionary",
"i":5,
"j":10,
"token":"double",
"matched_word":"double",
"rank":834,
"dictionary_name":"english_wikipedia",
"reversed":false,
"l33t":false,
"base_guesses":834,
"uppercase_variations":1,
"l33t_variations":1,
"guesses":834,
"guesses_log10":2.9211660506377384
},
{
"pattern":"dictionary",
"i":11,
"j":16,
"token":"status",
"matched_word":"status",
"rank":722,
"dictionary_name":"english_wikipedia",
"reversed":false,
"l33t":false,
"base_guesses":722,
"uppercase_variations":1,
"l33t_variations":1,
"guesses":722,
"guesses_log10":2.8585371975696385
}
],
"calc_time":4,
"crack_times_seconds":{
"online_throttling_100_per_hour":14395309344,
"online_no_throttling_10_per_second":39986970.4,
"offline_slow_hashing_1e4_per_second":39986.9704,
"offline_fast_hashing_1e10_per_second":0.0399869704
},
"crack_times_display":{
"online_throttling_100_per_hour":"centuries",
"online_no_throttling_10_per_second":"1 year",
"offline_slow_hashing_1e4_per_second":"11 hours",
"offline_fast_hashing_1e10_per_second":"less than a second"
},
"score":3,
"feedback":{
"warning":"",
"suggestions":[
]
}
}
zxcvbn-php (score: 1)
{
"crack_time":8618.50259999999,
"calc_time":0.020722150802612305,
"password":"hellodoublestatus",
"entropy":27.360933897886632,
"match_sequence":[
{
"dictionaryName":"passwords",
"rank":54,
"matchedWord":"hello",
"password":"hellodoublestatus",
"begin":0,
"end":4,
"token":"hello",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
},
{
"dictionaryName":"english",
"rank":1006,
"matchedWord":"double",
"password":"hellodoublestatus",
"begin":5,
"end":10,
"token":"double",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
},
{
"dictionaryName":"english",
"rank":3173,
"matchedWord":"status",
"password":"hellodoublestatus",
"begin":11,
"end":16,
"token":"status",
"pattern":"dictionary",
"entropy":null,
"cardinality":null
}
],
"score":1
}
I periodically log a PHP warning being generated by the L33tMatch
matcher. Unfortunately the input being passed in that triggers the warning isn't logged (given its use as a password) but I was able to walk through the debugger and at least catch that the $sub
array is being set to null
when using the default constructor for Zxcvbn
where it handles creating all of its own matchers internally.
PHP version: 8.0.8
Error message: foreach() argument must be of type array|object, null given in .../vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 214
It's attempting to do a foreach
on a null $sub
variable which by default should be an empty array but is being set to null in the constructor on line 93:
$this->sub = isset($params['sub']) ? $params['sub'] : null;
A quick screenshot of the debugger state after that line executes:
I'm happy to submit a pull request with a simple fix of replacing the null
with []
but wasn't sure if that would break anything.
I don't know if this is a bug or my misunderstanding of the comment in the example, 'echo $weak['feedback']['warning']; // will print user-facing feedback on the password, set only when score <= 2', but I tested with a dictionary word and got back a score of 0 with no warning set:
'''
Feb 18 11:43:13 admin php: [password] => everything
...
Feb 18 11:43:13 admin php: [sequence] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [0] => ZxcvbnPhp\Matchers\DictionaryMatch Object
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [pattern] => dictionary
Feb 18 11:43:13 admin php: [dictionaryName] => us_tv_and_film
Feb 18 11:43:13 admin php: [rank] => 123
Feb 18 11:43:13 admin php: [matchedWord] => everything
Feb 18 11:43:13 admin php: [reversed] =>
Feb 18 11:43:13 admin php: [l33t] =>
Feb 18 11:43:13 admin php: [password] => everything
Feb 18 11:43:13 admin php: [begin] => 0
Feb 18 11:43:13 admin php: [end] => 9
Feb 18 11:43:13 admin php: [token] => everything
Feb 18 11:43:13 admin php: )
Feb 18 11:43:13 admin php:
Feb 18 11:43:13 admin php: )
...
Feb 18 11:43:13 admin php: [score] => 0
Feb 18 11:43:13 admin php: [feedback] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [warning] =>
Feb 18 11:43:13 admin php: [suggestions] => Array
Feb 18 11:43:13 admin php: (
Feb 18 11:43:13 admin php: [0] => Add another word or two. Uncommon words are better.
Feb 18 11:43:13 admin php: )
Feb 18 11:43:13 admin php:
Feb 18 11:43:13 admin php: )
'''
In our project I made the error to check if feedback warning was set as an indication of a score <= 2, so this allowed bypassing the dictionary check - clearly my error, but maybe is a condition that wasn't supposed to happen?
Hello!
Thank you for the great work with this library!
I'm wondering how to add a dictionary of common words (or common names) of another language than English? How should it be formatted? File format? How to implement?
Could additional language check be a new feature?
When using the library with PHP 7.1, I get this error:
PHP Fatal error: Uncaught Error: [] operator not supported for strings in /home/webuser/websites/config.schokokeks.org/htdocs/vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55
The line ist:
$result['sub_display'][] = "$password[$i] -> $t";
PHP 7.1 expands the in-string-variable as $password[$i] which is not allowed for strings.
Hello, I would like to change the data-files to newer ones. Is there a chance to get the making-off files?
Thx for any hint in advance.
Hi,
Would like to know if we can disable Dictionary Match as an optional customization?
I tried disabling it by commenting the invocation of Matchers\DictionaryMatch::class
, in getMatchers()
function of Matcher.php
file.
Just wanted to know if there's another option or this is the only one I could use here?
Note: I don't want to alter contents of ranked_frequency_lists.json
file.
It will be useful to add psalm\phpstan to the project to make it more strict.
Hi, the password score of JavaScript is not the same as in PHP.
I guess that should not be like that?
PHP
array:6 [
"password" => "1111"
"score" => 0
]
array:6 [
"password" => "Monday"
"score" => 0
]
array:6 [
"password" => "Mond!ay"
"score" => 2
]
JavaScript
{
"password": "111",
"score": 0
}
{
"password": "Monday",
"score": 1
}
{
"password": "Mond!ay",
"score": 2
}
Hello,
Dictionary location is hard-coded in code.
As I'm using composer to install/update, I can't update it.
Could you please allow a parameter to be able to specify dictionary location?
thanks
List/doc over what is min,. requirement to reach X score.
Hello,
I'm scanning with this lib all my passwords. But tome of them are token/keys, which are quite long.
Analyze them can take sometimes more than 30min.
Could you add timeout parameter? or a check for length ?
Thanks a lot.
match_sequence!=Array
$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength('asdf', $userData);
echo "score_1 : ".$strength['score'].RT;
// will print 0
echo RT.RT;var_dump($strength); echo RT.RT;
gives:
array(6) { ["crack_time"]=> float(0.00865) ["calc_time"]=> float(0.0287201404572) ["password"]=> string(4) "asdf" ["entropy"]=> float(7.43462822764) ["match_sequence"]=> array(1) { [0]=> object(ZxcvbnPhp\Matchers\DictionaryMatch)#7 (10) { ["dictionaryName"]=> string(9) "passwords" ["rank"]=> int(173) ["matchedWord"]=> string(4) "asdf" ["password"]=> string(4) "asdf" ["begin"]=> int(0) ["end"]=> int(3) ["token"]=> string(4) "asdf" ["pattern"]=> string(10) "dictionary" ["entropy"]=> NULL ["cardinality"]=> NULL } } ["score"]=> int(0) }
ErrorException: 2: array_unique() expects parameter 1 to be array, bool given in
... /vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php(138): array_unique(false)
PHP Fatal error: Uncaught Error: [] operator not supported for strings in
/vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55
any ideas how to fix this ?
I'm running PHP 7.1.0
I already try : $result['sub_display'][] = "{$password[$i]} -> $t";
but I keep getting the same error :(
Stack trace:
#0 //vendor/bjeavons/zxcvbn-php/src/Matcher.php(27): ZxcvbnPhp\Matchers\L33tMatch::match('T3H-1337-P@$$', Array)
#1 //vendor/bjeavons/zxcvbn-php/src/Zxcvbn.php(53): ZxcvbnPhp\Matcher->getMatches('T3H-1337-P@$$', Array)
#2 //vendor/phpauth/phpauth/Auth.php(187): ZxcvbnPhp\Zxcvbn->passwordStrength('T3H-1337-P@$$')
#3 /index.php(25): PHPAuth\Auth->register('[email protected]', 'T3H-1337-P@$$', 'T3H-1337-P@$$')
#4 {main}
thrown in //vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 55
I'm trying to using ZxcvbnPhp\Zxcvbn
in my livewire component I installed the all requirements but it get me this error :
Target class [App\Http\Livewire\ZxcvbnPhp\Zxcvbn] does not exist.
Not a dealbreaker - but It'd be helpful if the readme identified the upper and lower range for score, or how to apply best practices to interpreting the result that the check provides.
Neat lib though, thank you!
Hello, any idea how to implement a result.feedback?
Thx for any hint in advance.
Hello,
A couple of weeks ago my changes were merged but are not in a new release yet.
Can you create a new release so I don't have to use dev-master?
Since PHP 7.1.3: this code doesn't work:
$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength("secret");
Error message: "[] operator not supported for strings"
Trace:
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matchers\L33tMatch.php:55
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matcher.php:27
bjeavons\zxcvbn-php\src\ZxcvbnPhp\Zxcvbn.php:53
Hey, just wanted to let you know I've gotten reports from users of my library Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
https://github.com/twosixlabs/acsploit
GoSimpleLLC/nbvcxz#60
I'd take a look at some of the work another implementation did to improve things: formigarafa/zxcvbn-rb#7
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.