Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add greater time spans in display, Add 1e12 guess metric #228

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add greater time spans in display, Add 1e12 guess metric #228

wants to merge 5 commits into from

Conversation

dylan-thinnes
Copy link

@dylan-thinnes dylan-thinnes commented Apr 11, 2018
edited
Loading

Add larger time spans

The textual feedback (result.crack_times_display) on times stops at centuries. Considering Moore's law and assuming guessing speed progresses proportionally, a century long password today will take 3 years in a decade and 35 days in two decades.

In that vein, I added millennium (1000 years) its associated pluralization. If a password exceeds 1000 millennia in guessing time (a million years), then the returned value is ">1000 millennia". This draws a better distinction between currently-strong passwords and forever-strong passwords.

Add 1e12 guesses

Leaving guess counts at 1e10 seems a little optimistic, considering we know of organizations with the ability to guess a trillion or more times a second (the README says as much) and home-made rigs have long since broken 330GH using Hashcat. As such, I added 1e12 guesses to the result for more enthusiastic password security.

Why should this matter?

Note that if the two points made above are combined (exponential growth in guessing power and underestimation of guessing power), the following conclusions can be made:

  • Take a password that is rated to take a millennium to crack against a 1e10 / sec guesser.
  • If pitched against a 1e12 / sec guesser, that password drops to 10 years.
  • After a decade of technological advancement, the same password drops to about 100 days of guessing time against a commensurate attacker.
  • After two decades, that drops to about 8 hours against a commensurate attacker.

Concerns about scope

I understand if this seems unnecessary to the scope of the project.
This change is very small. If it's deemed unnecessary to merge it, I'm fine with keeping it that way.

Testing

This code makes no changes to the way zxcvbn works, it only adds to the textual output.
As such, npm test passes all 1027 tests.

@dylan-thinnes
Add 1T guesses, Add millenia/megennia/gigennia
a0dc8ab
@dylan-thinnes
Fix pluralization for centuries/millenia/megennia+
8ac1c0b
@dylan-thinnes
Add 1e12_per_second guessing to result outline
95f9076 
The README outlines the output of zxcvbn
This updates that outline to contain the 1e12_per_second result
@dylan-thinnes
Properly spell millennium
662c9bc
@dylan-thinnes
Remove gigennia and megannia, Add >1000 millennia
f489894 
Gigennia and megennia are still protologisms
As such, anything exceeding a megennium of guessing time is >1000 millennia
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dylan-thinnes @CLAassistant