Inconsistent user inputs affect on score?

[U-4-E-A]

I may well be missing something here, but this example appears to be very insecure: -

const userInputs = ["Brian Thompson"]

I've ran the following tests and there are the result: -

TEST 1

Password: "Brian Thompson"

zxcvbnResult :  {
  calcTime: 138,
  password: 'Brian Thompson',
  guesses: 456,
  guessesLog10: 2.658964842664435,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 13,
      token: 'Brian Thompson',
      matchedWord: 'brian thompson',
      rank: 5,
      dictionaryName: 'userInputs',
      reversed: false,
      l33t: false,
      baseGuesses: 5,
      uppercaseVariations: 91,
      l33tVariations: 1,
      guesses: 455,
      guessesLog10: 2.658011396657112
    }
  ],
  crackTimesSeconds: {
    onlineThrottling100PerHour: 16416,
    onlineNoThrottling10PerSecond: 45.6,
    offlineSlowHashing1e4PerSecond: 0.0456,
    offlineFastHashing1e10PerSecond: 4.56e-8
  },
  crackTimesDisplay: {
    onlineThrottling100PerHour: '5 hours',
    onlineNoThrottling10PerSecond: '46 seconds',
    offlineSlowHashing1e4PerSecond: 'less than a second',
    offlineFastHashing1e10PerSecond: 'less than a second'
  },
  score: 0,
  feedback: {
    warning: 'There should not be any personal or page related data.',
    suggestions: [ 'Add more words that are less common.' ]
  }
}

TEST 2

Password: "Brian Thompson " (note the space at the end)

zxcvbnResult :  {
  calcTime: 138,
  password: 'Brian Thompson ',
  guesses: 20010,
  guessesLog10: 4.30124708863621,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 13,
      token: 'Brian Thompson',
      matchedWord: 'brian thompson',
      rank: 5,
      dictionaryName: 'userInputs',
      reversed: false,
      l33t: false,
      baseGuesses: 5,
      uppercaseVariations: 91,
      l33tVariations: 1,
      guesses: 455,
      guessesLog10: 2.658011396657112
    },
    {
      pattern: 'bruteforce',
      token: ' ',
      i: 14,
      j: 14,
      guesses: 11,
      guessesLog10: 1.041392685158225
    }
  ],
  crackTimesSeconds: {
    onlineThrottling100PerHour: 720360,
    onlineNoThrottling10PerSecond: 2001,
    offlineSlowHashing1e4PerSecond: 2.001,
    offlineFastHashing1e10PerSecond: 0.000002001
  },
  crackTimesDisplay: {
    onlineThrottling100PerHour: '8 days',
    onlineNoThrottling10PerSecond: '33 minutes',
    offlineSlowHashing1e4PerSecond: '2 seconds',
    offlineFastHashing1e10PerSecond: 'less than a second'
  },
  score: 1,
  feedback: {
    warning: 'There should not be any personal or page related data.',
    suggestions: [ 'Add more words that are less common.' ]
  }
}

TEST 3

Password: "Brian Thompson password"

zxcvbnResult :  {
  calcTime: 364,
  password: 'Brian Thompson password',
  guesses: 101501500,
  guessesLog10: 8.00647246034686,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 13,
      token: 'Brian Thompson',
      matchedWord: 'brian thompson',
      rank: 5,
      dictionaryName: 'userInputs',
      reversed: false,
      l33t: false,
      baseGuesses: 5,
      uppercaseVariations: 91,
      l33tVariations: 1,
      guesses: 455,
      guessesLog10: 2.658011396657112
    },
    {
      pattern: 'bruteforce',
      token: ' ',
      i: 14,
      j: 14,
      guesses: 11,
      guessesLog10: 1.041392685158225
    },
    {
      pattern: 'dictionary',
      i: 15,
      j: 22,
      token: 'password',
      matchedWord: 'password',
      rank: 2,
      dictionaryName: 'passwords',
      reversed: false,
      l33t: false,
      baseGuesses: 2,
      uppercaseVariations: 1,
      l33tVariations: 1,
      guesses: 50,
      guessesLog10: 1.6989700043360185
    }
  ],
  crackTimesSeconds: {
    onlineThrottling100PerHour: 3654054000,
    onlineNoThrottling10PerSecond: 10150150,
    offlineSlowHashing1e4PerSecond: 10150.15,
    offlineFastHashing1e10PerSecond: 0.01015015
  },
  crackTimesDisplay: {
    onlineThrottling100PerHour: 'centuries',
    onlineNoThrottling10PerSecond: '4 months',
    offlineSlowHashing1e4PerSecond: '3 hours',
    offlineFastHashing1e10PerSecond: 'less than a second'
  },
  score: 3,
  feedback: { warning: '', suggestions: [] }
}

TEST 4

Password: "Brian Thompson 1234"

zxcvbnResult :  {
  calcTime: 203,
  password: 'Brian Thompson 1234',
  guesses: 91010000,
  guessesLog10: 7.959089114367391,
  sequence: [
    {
      pattern: 'dictionary',
      i: 0,
      j: 13,
      token: 'Brian Thompson',
      matchedWord: 'brian thompson',
      rank: 5,
      dictionaryName: 'userInputs',
      reversed: false,
      l33t: false,
      baseGuesses: 5,
      uppercaseVariations: 91,
      l33tVariations: 1,
      guesses: 455,
      guessesLog10: 2.658011396657112
    },
    {
      pattern: 'bruteforce',
      token: ' 1234',
      i: 14,
      j: 18,
      guesses: 100000,
      guessesLog10: 5
    }
  ],
  crackTimesSeconds: {
    onlineThrottling100PerHour: 3276360000,
    onlineNoThrottling10PerSecond: 9101000,
    offlineSlowHashing1e4PerSecond: 9101,
    offlineFastHashing1e10PerSecond: 0.009101
  },
  crackTimesDisplay: {
    onlineThrottling100PerHour: 'centuries',
    onlineNoThrottling10PerSecond: '3 months',
    offlineSlowHashing1e4PerSecond: '3 hours',
    offlineFastHashing1e10PerSecond: 'less than a second'
  },
  score: 2,
  feedback: {
    warning: 'There should not be any personal or page related data.',
    suggestions: [ 'Add more words that are less common.' ]
  }
}

In test 1, it rightly gives a score of zero and a warning for "Brian Thompson" as "Brian Thompson" is a user input.

In test 2, a single trailing white space will give a score other than 0 and a warning.

In test 3, "Brian Thompson password" will give a score of 3 and no warnings/suggestions, despite it seems to be what should be considered a low (or lower) entropy password assuming the attacker has the user's name. This would seem to be an error that should be addressed as I think it creates opportunity for weak passwords.

In test 4, a password of "Brian Thompson 1234" - which I think we should consider to have a similar entropy/obviousness to that of test 3 - returns a score of 2 with warnings/suggestions. Is this not inconsistent with test 3's feedback?

Also, should there not just be a case for the failing of a password if it has "Brian Thompson" or a l33t of "Brian Thompson" anywhere in the password string? Should we not consider user input + " password" to be rather obvious?

The user can write their own function to check the password for substrings of user inputs but this is 1) hackish 2) difficult to take into account l33t as l33t would have to be done by a separate package (unless the zxcvbn-ts l33t function can be made available for direct import).

Thoughts?

[U-4-E-A]

FWIW, "BR1@N Thompson password" on https://www.passwordmonster.com/ is classed as weak with a crack time of 19.25 minutes. That is without the user's name being known...

[MrWook]

Hey, thanks for the testing the the new password test page.

Differences in scoring
The scoring for separators is a bit weird which is already discussed in #12
If there is would be a separator matcher it should reduce all your test scores to a 1.

Customer matcher
The l33t matcher is part of the dictionary matcher. If you would like to write your own matcher and use the other matcher there is a omniMatch option to access all other matchers.
The repeat matcher is already doing what you want to do. https://github.com/zxcvbn-ts/zxcvbn/blob/master/packages/libraries/main/src/matcher/repeat/matching.ts
It uses all other matchers to generate baseGuess count.

To only use one matcher you could use the option directly, access the matcher and generate a new instance of it
Like this:

class MatchCustom {
    async match({ password, omniMatch }: MatchOptions) {
      const DictionaryMatcher = omniMatch.matchers.dictionary
      const matcher = new DictionaryMatcher()
      const dictionaryResult = matcher.match({ password, omniMatch })
      ...
   }
}

With the results of the dictionary matcher you could proceed with your own implementation.
I should add a detailed documentation about creating own matchers with examples like this 🤔

New password checker page
https://www.passwordmonster.com/ seems like a new site from this year.
If you checkout the code of the site you will see that it is using an old implementation of zxcvbn of dropbox.
You can open the browser console on the page and type zxcvbn('BR1@N Thompson password') and it will print out an old response from zxcvbn < 4.x.x.
I'm not really sure whats the real difference between zxcvbn 4 and prior versions but with version 4 the scoring and timing was completely rewritten https://github.com/dropbox/zxcvbn/releases/tag/4.0.1
The new timing is differentiating between offline and online attack. I would assume that the old implementation is closer to a offline attack timing than an online attack timing.
This means you would need to compare the offline attack timing of zxcvbn-ts which is 3min for your example.

I would move this issue to the discussion tab if it's fine for you.
Because the separator matcher is already discussed and i think the rest is a good discussion instead of a real issue

[U-4-E-A]

I might be a little confused here but is there any way to use a custom matcher (or any other method) to have a password fail/score low in the case where it contains certain strings, so I could have a password fail if "Brian Thompson" (and possibly any l33ts of it) are found in the string? Thanks.

[MrWook]

Yes this should be possible.
For example this custom matcher https://zxcvbn-ts.github.io/zxcvbn/guide/matcher/#create-a-custom-matcher.
If j is the length of the password and you give this matcher a 0 the scoring should always be 0 🤔 Basically the minLength matcher will always give a score of 0 for passwords that are smaller than 10.

To achieve your case it would be best if you create a custom dictionary with your desired failures and add it as any other dictionary.
Than add a custom matcher like

class MatchCustom {
  async match({ password, omniMatch }: MatchOptions) {
    const DictionaryMatcher = omniMatch.matchers.dictionary
    const matcher = new DictionaryMatcher()
    const dictionaryResult = matcher.match({
      password,
      omniMatch,
    }) as MatchExtended[]

    const shouldFail = dictionaryResult.some((entry) => {
      return entry.dictionaryName === 'YOUR_CUSTOM_DICTIONARY_NAME'
    })
    const matches: Match[] = []
    if (shouldFail) {
      matches.push({
        pattern: 'CUSTOM_MATCHER_NAME',
        token: password,
        i: 0,
        j: password.length - 1,
      })
    }
    return matches
  }
...
}

[U-4-E-A]

Does this example take into account user inputs? In my example, I am trying to match the user's name in the password, which is dynamic as the user input and therefore not suitable for a static dictionary. Thanks.

[MrWook]

the user inputs is just another dictionary which you can use freely inside the matcher. You need to change YOUR_CUSTOM_DICTIONARY_NAME anyway. So you could use. userInput for YOUR_CUSTOM_DICTIONARY_NAME.
This would mean all user inputs that are found will set the score to 1

[U-4-E-A]

Managed to get it working now. Thank you, Sir!