dropbox / python-zxcvbn Goto Github PK
View Code? Open in Web Editor NEWA realistic password strength estimator.
Home Page: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
License: MIT License
python-zxcvbn's Introduction
*** THIS VERSION IS DEPRECATED *** See https://github.com/dwolfhub/zxcvbn-python for a maintained version. (The original README follows.) This is a python port of zxcvbn, which is a JavaScript password strength generator. zxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns. Please refer to http://tech.dropbox.com/?p=165 for the full details and motivation behind zxcbvn. The source code for the original JavaScript (well, actually CoffeeScript) implementation can be found at: https://github.com/lowe/zxcvbn For full motivation, see: http://tech.dropbox.com/?p=165 ------------------------------------------------------------------------ Use ------------------------------------------------------------------------ The zxcvbn module exports the password_strength() function. Import zxcvbn, and call password_strength(password, user_inputs=[]). The function will return a result dictionary with the following keys: entropy # bits crack_time # estimation of actual crack time, in seconds. crack_time_display # same crack time, as a friendlier string: # "instant", "6 minutes", "centuries", etc. score # [0,1,2,3,4] if crack time is less than # [10**2, 10**4, 10**6, 10**8, Infinity]. # (useful for implementing a strength bar.) match_sequence # the list of patterns that zxcvbn based the # entropy calculation on. calculation_time # how long it took to calculate an answer, # in milliseconds. usually only a few ms. The optional user_inputs argument is an array of strings that zxcvbn will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user's personal info can be heavily penalized. This list is also good for site-specific vocabulary. Bug reports and pull requests welcome! ------------------------------------------------------------------------ Acknowledgments ------------------------------------------------------------------------ Dropbox, thank you again for supporting independent projects both inside and outside of hackweek. Thanks to Dan Wheeler (https://github.com/lowe) for the CoffeeScript implementation (see above.) To repeat his outside acknowledgements (which remain useful, as always): Many thanks to Mark Burnett for releasing his 10k top passwords list: http://xato.net/passwords/more-top-worst-passwords and for his 2006 book, "Perfect Passwords: Selection, Protection, Authentication" Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists Last but not least, big thanks to xkcd :) https://xkcd.com/936/
python-zxcvbn's People
Contributors
Stargazers
Watchers
Forkers
dlitz pombredanne idobatter sserrano44 jametong mxsasha thedrow gwachob ferranti batterystaples moreati j20x pmoulton rthille gibsjose simudream sans-serif blue-labs ernest-rhinozeros derrybryson rohitjha markrowsoft derkan kmix27 mlipscombe enterstudio flaviocpontes ehsan-keshavarzian actus10 emtee40 vinicyusmacedo-luizalabs narajung shaniao1 ethan2018t1 isabella232 cc415bjv haveyou42 jssm65012 jimm348 chrisjj073 timgates42 00mjk osmanmuratgull hubpunkpython-zxcvbn's Issues
Please could you add this to the cheeseshop?
I'm writing a django app that uses this, and it would be great to just add zxcvbn as a dependency in setup.py.
thanks so much
Why?
Hey all.
Why would this lib need to be ported over to Python when it already exists as a Javascript library?
Consider handing PyPI package over to dwolfpi that hosts a more maintained py3 compat version
OverflowError: math range error
I started receiving error 500 emails from my Django project, revealing that someone has been trying to input extremely long passwords. I can easily reproduce this with zxcvbn 1.0:
from zxcvbn import password_strength
>>> password = "this is a test"
>>> password_strength(password)
[normal results]
>>> password = "Heavy flooding over eastern Japan washed away houses and forced residents to their rooftops, desperate for rescue by military helicopters. The raging brown floodwaters spawned from Typhoon Etau, which has dumped 60 centimeters (2 feet) of rain over some areas since Monday. Combine that with several weeks of near-daily rainfall, and Ibaraki and Tochigi prefectures are now deluged and unrecognizable."
>>> password_strength(password) Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/main.py", line 10, in password_strength
result = minimum_entropy_match_sequence(password, matches)
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/scoring.py", line 109, in minimum_entropy_match_sequence
crack_time = entropy_to_crack_time(min_entropy)
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/scoring.py", line 150, in entropy_to_crack_time
return (0.5 * math.pow(2, entropy)) * SECONDS_PER_GUESS # average, not total
OverflowError: math range error
Very different results from javascript.
The python code produces very different (and worrisome) results when compared to the javascript version. I use the python code in my change app to verify the password passes muster prior to changing it, so if anything I'd want it to be more strict that the client side JS version.
Password: FooBar2016
JS: score: 0, entropy: 18.541
Python: score: 2, entropy: 30.089
Password: ZagDag2016
JS: score: 2, entropy: 32.783
Python: score: 4, entropy: 44.264
If I had to choose I'd pick the JS version, the python one looks way too lenient.
(full result for FooBar2016 below.
JS:
Calling zxcvbn
{ password: 'FooBar2016',
entropy: 18.541,
match_sequence:
[ { pattern: 'dictionary',
i: 0,
j: 5,
token: 'FooBar',
matched_word: 'foobar',
rank: 908,
dictionary_name: 'passwords',
reversed: false,
base_entropy: 9.826548487290916,
uppercase_entropy: 4.392317422778761,
reversed_entropy: 0,
l33t_entropy: 0,
entropy: 14.218865910069677 },
{ pattern: 'regex',
token: '2016',
i: 6,
j: 9,
regex_name: 'recent_year',
regex_match: [Object],
entropy: 4.321928094887363 } ],
crack_time: 19.068,
crack_time_display: '19.068000000000023 seconds',
score: 0,
calc_time: 8 }
Python:
python -c 'import zxcvbn; print zxcvbn.password_strength("FooBar2016")'
{'crack_time_display': '17.0 hours', 'crack_time': 57103.66, 'score': 2, 'entropy': 30.089, 'password': 'FooBar2016', 'calc_time': 0.0005788803100585938, 'match_sequence': [{'l33t_entropy': 0, 'dictionary_name': 'passwords', 'matched_word': 'foobar', 'bas
e_entropy': 9.826548487290916, 'i': 0, 'pattern': 'dictionary', 'j': 5, 'rank': 908, 'token': 'FooBar', 'entropy': 14.285980105928214, 'uppercase_entropy': 4.459431618637297}, {'i': 6, 'pattern': 'spatial', 'j': 8, 'shifted_count': 0, 'token': '201', 'ent
ropy': 9.848831558033764, 'graph': 'keypad', 'turns': 2}, {'i': 9, 'pattern': 'bruteforce', 'j': 9, 'token': '6', 'entropy': 5.954196310386876, 'cardinality': 62}]}
Unittests missing
There are no tests.
Python 3 Compatability
In order to use this code with Python 3, print statements need to wrap strings in parentheses and xrange needs to be changed to range. No additional changes are required.
Correcting key: calculation_time should be calc_time
The correct key for the calculation time should be calc_time, yet the documentation reads calculation_time.
See pull request #15.
CLAassistant
I just received half a dozen spam messages from CLAassistant about old unmerged PRs. Whoever owns this repo might want to know.
User inputs are not lowercased before comparison
Results for these calls greatly differs
>>> password_strength(u'verylongword', [u'VeryLongWord'])
>>> password_strength(u'verylongword', [u'verylongword'])
First returns about 5 minutes, second one is instant.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.