zxcvbn Password Strength Estimator | InfoSec Write-ups

zxcvbn Password Strength Estimator | InfoSec Write-ups


Demo of the password strength estimator
  1. Install Zxcvbn
const password = 'mypassword'; 
const result = zxcvbn(password);
result.guesses            # estimated guesses needed to crack password
result.guesses_log10 # order of magnitude of result.guesses

result.crack_times_seconds # dictionary of back-of-the-envelope crack time
# estimations, in seconds, based on a few scenarios:
# online attack on a service that ratelimits password auth attempts.

# online attack on a service that doesn't ratelimit,
# or where an attacker has outsmarted ratelimiting.

# offline attack. assumes multiple attackers,
# proper user-unique salting, and a slow hash function
# w/ moderate work factor, such as bcrypt, scrypt, PBKDF2.

# offline attack with user-unique salting but a fast hash
# function like SHA-1, SHA-256 or MD5. A wide range of
# reasonable numbers anywhere from one billion - one trillion
# guesses per second, depending on number of cores and machines.
# ballparking at 10B/sec.

result.crack_times_display # same keys as result.crack_times_seconds,
# with friendlier display string values:
# "less than a second", "3 hours", "centuries", etc.

result.score # Integer from 0-4 (useful for implementing a strength bar)

0 # too guessable: risky password. (guesses < 10^3)

1 # very guessable: protection from throttled online attacks. (guesses < 10^6)

2 # somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)

3 # safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)

4 # very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

result.feedback # verbal feedback to help choose better passwords. set when score <= 2.

result.feedback.warning # explains what's wrong, eg. 'this is a top-10 common password'.
# not always set -- sometimes an empty string

result.feedback.suggestions # a possibly-empty list of suggestions to help choose a less
# guessable password. eg. 'Add another word or two'

result.sequence # the list of patterns that zxcvbn based the
# guess calculation on.

result.calc_time # how long it took zxcvbn to calculate an answer,
# in milliseconds.


Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!