Skip to content

4.0.1
Compare
Choose a tag to compare
@lowe lowe released this 24 Oct 05:42
· 104 commits to master since this release
4.0.1
ab6da8a

zxcvbn's search algorithm now penalizes pattern sequence length. The old model optimized:

Product(match.guesses for match in sequence)

The new model optimizes a function that includes both a multiplicative and additive penalty:

factorial(length) * product + D^(length - 1)

See comments in scoring.coffee for intuition around the new model.

Backwards-incompatible changes:

  • Most property names changed in the zxcvbn() return object. Removed all mention of entropy in place of more intuitive guesses and guesses_log10. (entropy in older versions was just log2 of guesses -- a sloppy use of the term.)
  • Removed crack_time property, added instead a dictionary of crack time estimates under different scenarios -- online throttled/unthrottled, and offline with slow/fast hashing.
  • score is still on a 0-5 scale, but with adjusted thresholds to reflect resistance to some of those attack scenarios.
Assets 2
Loading