zxcvbn
marked
Our great sponsors
zxcvbn | marked | |
---|---|---|
59 | 60 | |
14,647 | 31,845 | |
0.9% | 0.8% | |
0.0 | 9.5 | |
about 2 months ago | about 20 hours ago | |
CoffeeScript | JavaScript | |
MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
zxcvbn
-
Show HN: A lightweight PHP library for checking password strength
Lightweight is an understatement here.
A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)
1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...
- Zxcvbn: Low-Budget Password Strength Estimation – Usenix (2016)
-
I updated our famous password table for 2023
use zxcvbn to check your password strength more thoroughly
-
I hope the common password whitelisters at Microsoft still get therapy benefits to share the unobfuscated language they were subjected to.
source if anyone wants the whole list https://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt
-
How long can a password be with the new login system?
Password strength is evaluated based on the zxcvbn library.
-
How hard could it be? Sorting words alphabetically in Rust
In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.
- Zxcvbn: Low-Budget Password Strength Estimation
-
TIL There's Another YAML
> except for ZXCVBN
You mean the Low-Budget Password Strength Estimator?
https://github.com/dropbox/zxcvbn
Yeah, that name is totally legit.
-
Which tool can crack this password so fast?
For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).
-
Bitwarden Design Flaw
We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.
Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.
That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.
The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.
marked
-
Eleventy vs. Next.js for static site generation
Next, install gray-matter to extract metadata from the front matter of markdown files, and marked to convert the markdown files to HTML:
-
To learn svelte, I clone Github's issues page including useful features that you might consider reusing.
📑 Marked Markdown parser. Use it to create your own markdown editor.
-
🤖 AI Search and Q&A for Your Dev.to Content with Vrite
Vrite SDK provides a few built-in input and output transformers. These are functions, with standardized signatures to process the content from and into Vrite. In this case, gfmInputTransformer is essentially a GitHub Flavored Markdown parser, using Marked.js under the hood.
-
Better code highlighting on the web: rehype-tree-sitter
Another contestant in this realm is Bright[1]. It runs entirely on the server and doesn't increase bundle size as seen here[2]. Regarding parsing speed tree-sitter is without a doubt performant since it is written in Rust, but I don't have any problems "parsing on every keystroke" with a setup containing Marked[3], highlight.js[4] and a sanitizer. I did however experience performance issues with other Markdown parser libraries than Marked.
[1]: https://bright.codehike.org/
[2]: https://aihelperbot.com/test-suite
-
[Project Share] List dialog that supports complex HTML and Markdown format.
The project uses markedJS to convert markdown into HTML, this is their GitHub page.
-
Vrite Editor: Open-Source WYSIWYG Markdown Editor
To handle pasting block Markdown content like this, I had to tap into ProseMirror and implement a custom mechanism (though somewhat based on TipTap’s paste rules), detecting starting and ending points of the blocks and parsing them with Marked.js.
-
Help needed!
I am using marked for markdown parsing together with marked-highlighting to handle syntax highlighting and everything is working as it should.
-
Need help - sanitizeHtml with marked doesn't render special characters correctly (& is & and then &amp)
I'm trying to render user input using SvelteMarkdown (that uses marked).
-
Looking for a Comprehensive Guide for Building Complex Chatbots with GPT-4 API
GPT API returns data in markdown format. You can parse it using a Markdown library and string manipulation. On Electron app I developed https://jhappsproducts.gumroad.com/l/gpteverywhere, I used https://github.com/markedjs/marked and a code syntax highlighting package to display code blocks. And used JavaScript string manipulation to detect when code blocks start and end so I could add COPY/SAVE buttons to the blocks. I hope this helps, and happy coding! :)
-
How I put ChatGPT into a WYSIWYG editor
Again, with streaming enabled, you’ll now receive new tokens as soon as they’re available. Given that OpenAI’s API uses Markdown in its response format, a full message will need to be put together from the incoming tokens and parsed to HTML, as accepted by the replaceContent function. For this purpose, I’ve used the Marked.js parser.
What are some alternatives?
SecLists - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
remark - markdown processor powered by plugins part of the @unifiedjs collective
monkeytype - The most customizable typing website with a minimalistic design and a ton of features. Test yourself in various modes, track your progress and improve your speed.
markdown-it - Markdown parser, done right. 100% CommonMark support, extensions, syntax plugins & high speed
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
snarkdown - :smirk_cat: A snarky 1kb Markdown parser written in JavaScript
dumb-password-rules - A compilation of sites with dumb password rules.
DOMPurify - DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Next.js - The React Framework
MDsveX - A markdown preprocessor for Svelte.
Material UI - Ready-to-use foundational React components, free forever. It includes Material UI, which implements Google's Material Design.
js-yaml - JavaScript YAML parser and dumper. Very fast.