dropbox / python-zxcvbn Goto Github PK
View Code? Open in Web Editor NEWA realistic password strength estimator.
Home Page: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
License: MIT License
A realistic password strength estimator.
Home Page: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
License: MIT License
*** THIS VERSION IS DEPRECATED *** See https://github.com/dwolfhub/zxcvbn-python for a maintained version. (The original README follows.) This is a python port of zxcvbn, which is a JavaScript password strength generator. zxcvbn attempts to give sound password advice through pattern matching and conservative entropy calculations. It finds 10k common passwords, common American names and surnames, common English words, and common patterns like dates, repeats (aaa), sequences (abcd), and QWERTY patterns. Please refer to http://tech.dropbox.com/?p=165 for the full details and motivation behind zxcbvn. The source code for the original JavaScript (well, actually CoffeeScript) implementation can be found at: https://github.com/lowe/zxcvbn For full motivation, see: http://tech.dropbox.com/?p=165 ------------------------------------------------------------------------ Use ------------------------------------------------------------------------ The zxcvbn module exports the password_strength() function. Import zxcvbn, and call password_strength(password, user_inputs=[]). The function will return a result dictionary with the following keys: entropy # bits crack_time # estimation of actual crack time, in seconds. crack_time_display # same crack time, as a friendlier string: # "instant", "6 minutes", "centuries", etc. score # [0,1,2,3,4] if crack time is less than # [10**2, 10**4, 10**6, 10**8, Infinity]. # (useful for implementing a strength bar.) match_sequence # the list of patterns that zxcvbn based the # entropy calculation on. calculation_time # how long it took to calculate an answer, # in milliseconds. usually only a few ms. The optional user_inputs argument is an array of strings that zxcvbn will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user's personal info can be heavily penalized. This list is also good for site-specific vocabulary. Bug reports and pull requests welcome! ------------------------------------------------------------------------ Acknowledgments ------------------------------------------------------------------------ Dropbox, thank you again for supporting independent projects both inside and outside of hackweek. Thanks to Dan Wheeler (https://github.com/lowe) for the CoffeeScript implementation (see above.) To repeat his outside acknowledgements (which remain useful, as always): Many thanks to Mark Burnett for releasing his 10k top passwords list: http://xato.net/passwords/more-top-worst-passwords and for his 2006 book, "Perfect Passwords: Selection, Protection, Authentication" Huge thanks to Wiktionary contributors for building a frequency list of English as used in television and movies: http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists Last but not least, big thanks to xkcd :) https://xkcd.com/936/
I'm writing a django app that uses this, and it would be great to just add zxcvbn as a dependency in setup.py.
thanks so much
Hey all.
Why would this lib need to be ported over to Python when it already exists as a Javascript library?
I started receiving error 500 emails from my Django project, revealing that someone has been trying to input extremely long passwords. I can easily reproduce this with zxcvbn 1.0:
from zxcvbn import password_strength
>>> password = "this is a test"
>>> password_strength(password)
[normal results]
>>> password = "Heavy flooding over eastern Japan washed away houses and forced residents to their rooftops, desperate for rescue by military helicopters. The raging brown floodwaters spawned from Typhoon Etau, which has dumped 60 centimeters (2 feet) of rain over some areas since Monday. Combine that with several weeks of near-daily rainfall, and Ibaraki and Tochigi prefectures are now deluged and unrecognizable."
>>> password_strength(password) Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/main.py", line 10, in password_strength
result = minimum_entropy_match_sequence(password, matches)
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/scoring.py", line 109, in minimum_entropy_match_sequence
crack_time = entropy_to_crack_time(min_entropy)
File "/Users/me/Sites/virtualenvs/foo/lib/python2.7/site-packages/zxcvbn/scoring.py", line 150, in entropy_to_crack_time
return (0.5 * math.pow(2, entropy)) * SECONDS_PER_GUESS # average, not total
OverflowError: math range error
The python code produces very different (and worrisome) results when compared to the javascript version. I use the python code in my change app to verify the password passes muster prior to changing it, so if anything I'd want it to be more strict that the client side JS version.
Password: FooBar2016
JS: score: 0, entropy: 18.541
Python: score: 2, entropy: 30.089
Password: ZagDag2016
JS: score: 2, entropy: 32.783
Python: score: 4, entropy: 44.264
If I had to choose I'd pick the JS version, the python one looks way too lenient.
(full result for FooBar2016 below.
JS:
Calling zxcvbn
{ password: 'FooBar2016',
entropy: 18.541,
match_sequence:
[ { pattern: 'dictionary',
i: 0,
j: 5,
token: 'FooBar',
matched_word: 'foobar',
rank: 908,
dictionary_name: 'passwords',
reversed: false,
base_entropy: 9.826548487290916,
uppercase_entropy: 4.392317422778761,
reversed_entropy: 0,
l33t_entropy: 0,
entropy: 14.218865910069677 },
{ pattern: 'regex',
token: '2016',
i: 6,
j: 9,
regex_name: 'recent_year',
regex_match: [Object],
entropy: 4.321928094887363 } ],
crack_time: 19.068,
crack_time_display: '19.068000000000023 seconds',
score: 0,
calc_time: 8 }
Python:
python -c 'import zxcvbn; print zxcvbn.password_strength("FooBar2016")'
{'crack_time_display': '17.0 hours', 'crack_time': 57103.66, 'score': 2, 'entropy': 30.089, 'password': 'FooBar2016', 'calc_time': 0.0005788803100585938, 'match_sequence': [{'l33t_entropy': 0, 'dictionary_name': 'passwords', 'matched_word': 'foobar', 'bas
e_entropy': 9.826548487290916, 'i': 0, 'pattern': 'dictionary', 'j': 5, 'rank': 908, 'token': 'FooBar', 'entropy': 14.285980105928214, 'uppercase_entropy': 4.459431618637297}, {'i': 6, 'pattern': 'spatial', 'j': 8, 'shifted_count': 0, 'token': '201', 'ent
ropy': 9.848831558033764, 'graph': 'keypad', 'turns': 2}, {'i': 9, 'pattern': 'bruteforce', 'j': 9, 'token': '6', 'entropy': 5.954196310386876, 'cardinality': 62}]}
There are no tests.
In order to use this code with Python 3, print statements need to wrap strings in parentheses and xrange
needs to be changed to range
. No additional changes are required.
The correct key for the calculation time should be calc_time
, yet the documentation reads calculation_time
.
See pull request #15.
I just received half a dozen spam messages from CLAassistant about old unmerged PRs. Whoever owns this repo might want to know.
Results for these calls greatly differs
>>> password_strength(u'verylongword', [u'VeryLongWord'])
>>> password_strength(u'verylongword', [u'verylongword'])
First returns about 5 minutes, second one is instant.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.