SaaSHub helps you find the best software and product alternatives Learn more →
Zxcvbn Alternatives
Similar projects and alternatives to zxcvbn
-
SecLists
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
SonarQube
Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.
-
monkeytype
The most customizable typing website with a minimalistic design and a ton of features. Test yourself in various modes, track your progress and improve your speed.
-
material-ui
MUI Core: Ready-to-use foundational React components, free forever. It includes Material UI, which implements Google's Material Design.
-
-
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
InfluxDB
Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.
-
-
-
vaultwarden
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
personal-security-checklist
🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2022
-
-
pashword
🔒 Pashword - Never forget passwords ever again! Free and Open Source Hashed Password Generator
-
-
-
awesome-selfhosted
A list of Free Software network services and web applications which can be hosted on your own servers
-
sqlitebrowser
Official home of the DB Browser for SQLite (DB4S) project. Previously known as "SQLite Database Browser" and "Database Browser for SQLite". Website at:
-
dashy
🚀 A self-hostable personal dashboard built for you. Includes status-checking, widgets, themes, icon packs, a UI editor and tons more!
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
zxcvbn reviews and mentions
-
Bitwarden Design Flaw
We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.
Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.
That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.
The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.
-
What We Do in the /etc./Shadow – Cryptography with Passwords
> There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.
Author here.
I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)
My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727
However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!
> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.
As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.
PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.
> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?
I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work?
Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.
In the meantime, here's some cool stuff:
https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)
https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)
-
Password Strength Recommendations for 2023?
Did you hear about that one? https://github.com/dropbox/zxcvbn
-
Password Requirements: Myths and Madness
The author links to a recommended library in the blog post
-
I made my first program, a password generator.
See also zxcvbn and original for the rationale.
- This collecting personal data?
-
Please stop forcing users to reset complex passwords
According to zxcvbn the following 12 character password lasts about 2 minutes at 10 billion hashes:
-
Pashword - FOSS Hashed Password Generator - Works without internet, Works anywhere, Never forget your passwords ever again.
A integrated password strength checker could be useful , maybe adding keepassxc algorithm (which is open source).
-
👂Tell us your thoughts about the Password Strength Testing Tool
It caps password strength at each character having 10 possible values. So a 8 character password is considered to be at most 108 possible values (about 24 bit) and is marked insecure. This is useless for me as I have lots of legacy randomly generated passwords from Keepass that have 56 bits of randomness (no way those can be brute forced) and these are all marked as very insecure, so I have no way in the report to identify actual insecure passwords. See eg https://github.com/dropbox/zxcvbn/issues/135
-
Is it safe to store credit card information in Bitwarden?
Interestingly, in doing research on trying to find a tool that measure password strenght (I didn't find one that measured it quite as accurately as I would have liked), I found actual research (another useful link) behind the tool that bitwarden uses in their online password strengther checker, I didn't bother to read it yet, but I'm sure it will answer a lot of questions I'm asking about the maths behind the proposition that using a sequence of random words is better than using a sequence of random letters.
-
A note from our sponsor - #<SponsorshipServiceOld:0x00007fea592de498>
www.saashub.com | 3 Feb 2023
Stats
dropbox/zxcvbn is an open source project licensed under MIT License which is an OSI approved license.