Repository files navigation

This is a C/C++ implementation of the zxcvbn password strength estimation.

The code is intended to be included as part of the source of a C/C++ program. Like theoriginal this code is for character sets which use single byte characters primarily in thecode range 0x20 to 0x7E.

The original CoffeeScript version is available athttps://github.com/lowe/zxcvbn

An article on the reasons for zxcvbn is athttps://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

The makefile will build several test programs to test the code. It shows the steps neededto use the code in C and C++ programs, using the dictionary data read from file or includedwithin the program executable.The makefile has only been tried on Linux using GCC version 4.8.4, but should be fairlyportable to other systems.

When dictionary data is included in your program's executable, the fileszxcvbn.c ,zxcvbn.h ,dict-src.h are used in your program.

When dictionary data is read from file, the fileszxcvbn.c ,zxcvbn.h ,dict-crc.handzxcvbn.dict are used in your program, compiled with#define USE_DICT_FILE. The CRCof the dictionary data file is written todict-crc.h so your executable can detectcorruption of the data.

Renamezxcvbn.c tozxcvbn.cpp (or whatever your compiler uses) to compile as C++.

Thedict*.h andzxcvbn.dict files are generated by the dictgen program compiled fromdict-generate.cpp (see makefile for details).

Initially callZxcvbnInit() with the pathname of thezxcvbn.dict file. This can beomitted when dictionary data is included in the executable.

CallZxcvbnMatch() with the password and optional user dictionary to get the entropyestimation and optional information on the password parts (which will need freeing withZxcvbnFreeInfo() after use). Do this for each password to be tested, or as each characterof it is entered into your program. The optional user dictionary can change between eachcall.

Finally callZxcvbnUninit() to free the dictionary data from read from file. This can beomitted when dictionary data is included in the executable.

Review the test program intest.c for an example.

The entropy calculated will sometimes differ from the original because of

• The UK keyboard layout is also included, so there are additional spacial sequences, e.g.;'# is a spacial sequence.
• The different character classes in a password are taken into account when calculating thestrength of brute-force matches.
• Dijkstra's path searching algorithm is used to combine parts of the entered password. Thiscan result in the found parts of the password being combined differently than theoriginal CoffeeScript. E.g. the passwordpasswordasswordis combined by the original CoffeeScript asp (3.5 bits) +asswordassword (12.6bits) + multiple part allowance (1.0bit) to give total entropy of 17.1 bits. Thisimplementation combines it aspassword (1.0 bit) +assword (11.6 bits) + multiplepart allowance (1.0bit) to give 13.6 bits.
• For multi-part passwords the original CoffeeScript version multiplies the number ofguesses needed by the factorial of the number of parts. This is not possible in thisversion as Dijkstra's algorithm is used. Instead one bit entropy is added for the part at theend of the password, 1.7 bits for each part in the middle of a password and nothingfor the part at the beginning. This gives similar results compared to the CoffeeScriptversion when there are 4 or less parts, but will differ significantly when there are manyparts (which is likely to be a rare occurrence).
• Only the first 100 characters of a password are used in the full entropy estimation calculation.This length is given by the ZXCVBN_DETAIL_LEN preprocessor macro and can be altered on thecompiler command line. The remaining characters are given a low entropy value, roughly equivalentto incrementing sequence of the same length.

The original CoffeeScript version is available athttps://github.com/lowe/zxcvbn

The dictionary words are taken from the original CoffeeScript version.

Dictionary trie encoding (used for by the word lookup code) based on idea from the CarolineWord Graph fromhttp://www.pathcom.com/~vadco/cwg.html

MIT License

• http://www.opensource.org/licenses/mit-license.php