Releases: dropbox/zxcvbn
v4.4.2
v4.4.1
4.4.0
4.3.0
4.2.0
Overhauled dictionary processing pipeline (scripts in data-scripts).
- zxcvbn now counts 30k top passwords from Xato.net's 10M password corpus instead of an earlier list of 10k passwords.
- zxcvbn now counts top words from offline wikipedia dumps. Instead of 55k words from the wiktionary tv and movie study, zxcvbn now includes top 30k tokens from the study, and top 30k tokens from en wikipedia.
- Data processing scripts are easier to use and better documented. It's now easy to, for example, add dictionaries obtained from wikipedia dumps in other locales.
4.1.0
zxcvbn now includes targeted verbal feedback in addition to score and guess numbers. verbal feedback is included when score is <=2, and potentially contains a warning and a list of suggestions.
Warnings include messages like "this is a top-10 common password", "dates are easy to guess", "rows of keys are easy to guess".
Suggestions include messages like "add another word or two", "avoid dates that are associated with you", "common substitutions like @ for a don't help very much", etc.
4.0.1
zxcvbn's search algorithm now penalizes pattern sequence length. The old model optimized:
Product(match.guesses for match in sequence)
The new model optimizes a function that includes both a multiplicative and additive penalty:
factorial(length) * product + D^(length - 1)
See comments in scoring.coffee
for intuition around the new model.
Backwards-incompatible changes:
- Most property names changed in the
zxcvbn()
return object. Removed all mention of entropy in place of more intuitiveguesses
andguesses_log10
. (entropy
in older versions was just log2 ofguesses
-- a sloppy use of the term.) - Removed
crack_time
property, added instead a dictionary of crack time estimates under different scenarios -- online throttled/unthrottled, and offline with slow/fast hashing. score
is still on a 0-5 scale, but with adjusted thresholds to reflect resistance to some of those attack scenarios.
3.5.0
3.4.0
3.3.0
- Rewritten
date_matcher
that is simpler and more aggressive. - New matcher:
regex_matcher
. Includes year and contiguous digit matching, plus a few new patterns: contiguous symbols, uppers, lowers, alpha, alphanum. - unit tests for matching.
- partial unit tests for scoring.