zxcvbn
SecLists
Our great sponsors
zxcvbn | SecLists | |
---|---|---|
59 | 177 | |
14,595 | 52,987 | |
1.3% | - | |
0.0 | 9.6 | |
about 1 month ago | 5 days ago | |
CoffeeScript | PHP | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
zxcvbn
-
Show HN: A lightweight PHP library for checking password strength
Lightweight is an understatement here.
A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)
1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...
-
How hard could it be? Sorting words alphabetically in Rust
In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.
-
TIL There's Another YAML
> except for ZXCVBN
You mean the Low-Budget Password Strength Estimator?
https://github.com/dropbox/zxcvbn
Yeah, that name is totally legit.
-
Which tool can crack this password so fast?
For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).
-
Bitwarden Design Flaw
We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.
Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.
That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.
The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.
-
What We Do in the /etc./Shadow – Cryptography with Passwords
> There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.
Author here.
I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)
My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727
However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!
> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.
As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.
PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.
> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?
I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work?
Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.
In the meantime, here's some cool stuff:
https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)
https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)
-
Password Strength Recommendations for 2023?
Did you hear about that one? https://github.com/dropbox/zxcvbn
-
Password Requirements: Myths and Madness
The author links to a recommended library in the blog post
-
I made my first program, a password generator.
See also zxcvbn and original for the rationale.
- This collecting personal data?
SecLists
-
What's the problem with my API?
Maybe swagger.txt
-
I had a machine running for two weeks on the public cloud. Every few seconds there was an automated SSH login attempt. Here is the full list of usernames - some of which are quite curious.
Typical of the sorts of information a tester/attacker might be using from: Daniel Miessler's SecLists
-
[OC] I updated our famous password table for 2023
Oh, and then you have this.
-
Join Celebrations! Appwrite 1.3 Ships Relationships
You can now also enable a rule for password dictionary. Appwrite knows what are the most common passwords, and with this rule enabled, it will not allow you users to set any of those passwords. It prevents your users from having passwords like password, 123456678, or qwertyui. Appwrite currently knows the 10,000 most commonly used passwords thanks to the same list used by other industry-leading auth providers. You can check out the dictionary list on GitHub.
-
Generating Passphrases Using Nonsense Words?
You could even take a list of the 100,000 most common passwords, and create a virtually uncrackable passphrase simply by combining 3 words that have been randomly selected from that list.
- cómo empezar en seguridad informática
-
The new type of SQL injection
Pro tip: just compound like 30 ashley madison leaked passwords for a super password.
-
Bruteforcing Firefox logins.json key4.db
If you need larger password lists ---> https://github.com/danielmiessler/SecLists
-
i created a cpanel bruteforce tool
Then add in a few default lists from SecLists Passwords dir and Usernames dir
-
word lists
Just out of curiosity... Isn't the directory titled "/seclists/", within the directory /use/share/wordlists/ the same as what's at danielmiessler / SecLists?
What are some alternatives?
Probable-Wordlists - Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
gobuster - Directory/File, DNS and VHost busting tool written in Go
wpscan - WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]
big-list-of-naughty-strings - The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
btcrecover - An open source Bitcoin wallet password and seed recovery tool designed for the case where you already know most of your password/seed, but need assistance in trying different possible combinations.
english-words - :memo: A text file containing 479k English words for all your dictionary/word-based projects e.g: auto-completion / autosuggestion
naive-hashcat - Crack password hashes without the fuss :cat2:
rockyou2021
403fuzzer - Fuzz 403/401ing endpoints for bypasses
passfault - OWASP Passfault evaluates passwords and enforces password policy in a completely different way.
PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
SQLMap - Automatic SQL injection and database takeover tool