zxcvbn VS sqlitebrowser

Lightweight is an understatement here.

A client's project (with not necessarily technical customers) has had pretty reasonable success using the Dropbox originated library[1] for this, `zxcvbn`[2], on both frontend via js (for "instant" feedback) and on the backend via php (to enforce the requirements when writing password hashes to the database)

1: https://dropbox.tech/security/zxcvbn-realistic-password-stre...

2: https://github.com/dropbox/zxcvbn

use zxcvbn to check your password strength more thoroughly

source if anyone wants the whole list https://github.com/dropbox/zxcvbn/blob/master/data/passwords.txt

Password strength is evaluated based on the zxcvbn library.

In contrast, let's consider the password "zxcvbn214". How might we assign an entropy to this password? Is it 369? Or 266 * 103? Anyone familiar with a QWERTY keyboard or Dropbox's password strength estimator knows that "zxcvbn" is hardly a random sequence of letters. This same principle applies to "l33t" speak, e.g. replacing all "e"s with 3s and "a"s with 4s. These strategies may "trick" simple entropy calculations into estimating a high entropy, but it won't trick sophisticated attackers. This leads to strength over-estimation, which is, I argue, the worst thing we can do in this context.

> except for ZXCVBN

You mean the Low-Budget Password Strength Estimator?

https://github.com/dropbox/zxcvbn

Yeah, that name is totally legit.

For any part of the password that the zxcvbn cannot match to a known pattern, it uses a brute-force cardinality of 10, i.e., it estimates that the number of guesses required to crack a password or password segment of length N is equal to 10N (equivalent to the number of guesses required to exhaust all possibilities if your password consisted only of numbers).

We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

We have a spread of different GitHub Actions based workflows that do stuff whenever a PR is proposed or merged:

https://github.com/sqlitebrowser/sqlitebrowser/tree/master/....

Most of those are oriented around building packages for various OS's (Linux, macOS, Windows) so people can try the latest code.

While there are some tests, they're more like extremely basic sanity tests and don't rely on Docker.

Those tests rely on whichever version of SQLite was downloaded and compiled into the GUI (as per above code snippet).

---

That being said, that's for the client side GUI application. There's a server side of things too (https://github.com/sqlitebrowser/dbhub.io -> dbhub.io) that does use docker for it's automated tests:

https://github.com/sqlitebrowser/dbhub.io/tree/master/.githu...

Those are integration tests though (eg "make sure we didn't bust communication with our cli", "make sure our go library still works 100% with the server"), and a reasonably decent set of End to End (E2E) tests of the web interface using Cypress.

---

Does that help? :)

Do you know about SQLite DB Browser ? It's a multi platform application that would perfectly fit your use case :).

https://sqlitebrowser.org/

Someone gave you a sqlite database. You probably started to think to install a program like sqlitebrowser, but only to view and read the data. Don't bother, you can use this extension instead.

Try https://sqlitebrowser.org/ it’s great for local use and training purposes

You can see how the db file looks for the app using https://sqlitebrowser.org/

If you want to fiddle with SQLite and don't need all the power herein, I recommend DB Browser for SQLite.

https://sqlitebrowser.org/

Hello y'all. This is my first post here. I'm learning SQL with the Northwind database. When I run a "big" query, like "SELECT * FROM Customers" the application crashes. I noticed this only happens when I run a general query, for example, if I run something more specific (and, by the hand "smaller") it doesn't happen. So, I thought it could be related to the size of the query. But I'm a total beginner so idk. It doesn't happen every time I try to use it, but still, this is frustrating. If there's no solution, what other SQL application can I use to keep learning? I found something on GitHub but this is for an older macOS version.