zxcvbn VS Next.js

Lightweight is an understatement here.

A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)

1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...

2: https://github.com/dropbox/zxcvbn

use zxcvbn to check your password strength more thoroughly

source if anyone wants the whole list https://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt

Password strength is evaluated based on the zxcvbn library.

In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.

> except for ZXCVBN

You mean the Low-Budget Password Strength Estimator?

https://github.com/dropbox/zxcvbn

Yeah, that name is totally legit.

For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).

We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

Next.js is a powerful React framework that enables developers to build server-rendered applications, static websites, and more. It's designed for production and provides features like automatic code splitting and optimized prefetching.

// source: https://github.com/vercel/next.js/blob/canary/packages/next/src/lib/worker.ts#L121C15-L129C16 for (;;) { onActivity() const result = await Promise.race(\[ (this.\_worker as any)\[method\](...args), restartPromise, \]) if (result !== RESTARTED) return result if (onRestart) onRestart(method, args, ++attempts) }

https://github.com/vercel/next.js/discussions/27666 One of them said 'renaming folder to uppercase' might cause trouble. git might not recognize case-sensetive changes by default.

Next.js has long cemented itself as one of the front runners in the web framework world for JavaScript/TypeScript projects so we’re going to be using that. More specifically we’re going to be using V14 of Next.js which allows us to use some exciting new features like Server Actions and the App Router.

Web frameworks like Next.js will usually include this feature, but do check that they set the caching headers correctly!

Vite and Next.js are both top 5 modern development framework right now. They are both great depending on your use case so we’ll discuss 4 areas: Architecture, main features, developer experience and production readiness. After learning about these we’ll have a better idea of which one is best for your project.

> It’s important to be aware of what you are getting if you go with React, and what you are getting is a far cry from what a framework would offer, with all the corresponding pros and cons.

Would you like to elaborate on that?

In my experience, with something as great, size/ecosystem-wise as React, there will almost always be at least one "mainstream" package for whatever you might want to do with it, that integrates pretty well. Where a lot of things might come out of the box with a framework, with a library I often find myself just needing to install the "right" package, and from there it's pretty much the same.

For example, using https://angular.io/guide/i18n-overview or installing and using https://react.i18next.com/

Or something like https://angular.io/guide/form-validation out of the box, vs installing and using https://formik.org/

Or perhaps https://angular.io/guide/router vs https://reactrouter.com/en/main

Even adding something that's not there out of the box is pretty much the same, like https://primeng.org/ or https://primereact.org/

React will typically have more fragmentation and therefore also choice, but I don't see those two experiences as that different. Updates and version management/supply chain will inevitably be more of a mess with the library, admittedly.

Now, projects like Next https://nextjs.org/ exist and add what some might regard as the missing pieces and work well if you want something opinionated and with lots of features out of the box, but a lot of those features (like SSR) are actually pretty advanced and not always even necessary.

Next.js: For the website and the admin dashboard

Until the time of writing, there is no official example of how to enable runtime environmental variables in a Dockerized Next.js app, as utilizing unstable_noStore would only dynamically evaluate variables on the server (node.js runtime). There is also an interesting discussion regarding this topic on GitHub.

next.js is a very popular React framework. remix-adonisjs includes more functionality through the AdonisJS backend ecosystem, and should be easier to self-host and self-manage.