zxcvbn - npm Package Compare versions

Comparing version 3.0.1 to 3.0.2

demo/demo.js

		@@ -11,5 +11,5 @@ // Generated by CoffeeScript 1.9.3

		requirejs(['../libb/zxcvbn'], function(zxcvbn) {
		requirejs(['../lib/zxcvbn'], function(zxcvbn) {
		return $(function() {
		var _listener, i, last_q, len, password, r, ref, rendered, results_lst;
		var _listener, i, last_q, len, password, r, ref, results_lst;
		results_lst = [];
		@@ -26,9 +26,5 @@ ref = test_passwords.split('\n');
		}
		rendered = Mustache.render(results_tmpl, {
		results: results_lst
		});
		$('#results').html(rendered);
		last_q = '';
		_listener = function() {
		var current, results;
		var current, rendered, results;
		current = $('#search-bar').val();
		@@ -35,0 +31,0 @@ if (!current) {

package.json

		{
		"name": "zxcvbn",
		"version": "3.0.1",
		"version": "3.0.2",
		"description": "realistic password strength estimation",
		@@ -5,0 +5,0 @@ "main": "lib/zxcvbn.js",

README.md

		@@ -10,8 +10,12 @@ ```

		`zxcvbn`, named after a crappy password, is a password strength estimator. `zxcvbn` is different from other estimators in that it evaluates passwords the way modern crackers crack them. Through search, pattern matching, and conservative entropy calculations, it finds 10k common passwords, common names and surnames according to US census data, common English words, and other common patterns like dates, repeats (aaa), sequences (abcd), QWERTY patterns, and l33t speak.
		Named after a crappy password, zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (`aaa`), sequences (`abcd`), keyboard patterns (`qwertyuiop`), and l33t speak.

		`zxcvbn` is an algorithm that can be used in place of a password policy -- it is more secure, more flexible, and less frustrating when sites require a minimal score instead of the dreaded "passwords must contain three of {lower, upper, numbers, symbols}". Passwords can be strong and weak for so many reasons that are hard to capture with policy rules, whereas `zxcvbn` allows many styles so long as it detects sufficient complexity. Passphrases are rated highly given enough uncommon words, for example. Keyboard patterns are either terrible or great depending on length and number of shifts and turns. Capitalization adds complexity, but only if it's unpredictable. Neither crackers nor `zxcvbn` are fooled by '@' for 'a' or '0' for 'o'.
		zxcvbn is an algorithm to to be used in place of a password policy — it is more secure, flexible, and usable when sites require a minimal complexity score instead of (for example) the dreaded "passwords must contain three of {lower, upper, numbers, symbols}".

		At Dropbox we use `zxcvbn` to give people instantaneous feedback when they create a new account or change/reset a password. `zxcvbn` is designed for node and the browser, but we use our [python port](https://github.com/dropbox/python-zxcvbn) inside the Dropbox desktop client, [Objective C port](https://github.com/dropbox/zxcvbn-ios) on iOS, and Java port (not yet open sourced) on Android.
		* __More secure__: policies often fail both ways, allowing weak passwords (`P@ssword1`) and disallowing strong passwords (`incorrectmulevoltaicclip`).
		* __More flexible__: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity. Passphrases are rated highly given enough uncommon words. Keyboard patterns are either terrible or great depending on length and number of shifts and turns. Capitalization adds more complexity when it's unpRedIctable. Neither crackers nor zxcvbn are fooled by `'@'` for `'a'` or `'0'` for `'o'`.
		* __More usable__: Offloading a list of password rules onto users is bad usability. Understanding and satisfying said policy can be time-consuming and frustrating, leading to passwords that are [harder to remember](https://xkcd.com/936/). Use zxcvbn to build a simple, rule-free interface that gives instant feedback.

		At Dropbox we use zxcvbn on our [signup page](https://www.dropbox.com/register) and change/reset password flows. zxcvbn is designed for node and the browser, but we use our [python port](https://github.com/dropbox/python-zxcvbn) inside the Dropbox desktop client, [Objective C port](https://github.com/dropbox/zxcvbn-ios) in our iOS app, and Java port (not yet open sourced) on Android.

		For more motivation, see:
		@@ -23,3 +27,3 @@

		`zxcvbn` automatically detects and supports CommonJS (node, browserify) and AMD (RequireJS). In the absence of those, it adds a single function `zxcvbn` to the global namespace.
		zxcvbn detects and supports CommonJS (node, browserify) and AMD (RequireJS). In the absence of those, it adds a single function `zxcvbn()` to the global namespace.

		@@ -33,7 +37,7 @@ ## Bower
		``` shell
		cd /path/to/project/root # your index.html lives here
		cd /path/to/project/root
		bower install zxcvbn
		```

		Add this script to your index.html:
		Add this script to your `index.html`:

		@@ -45,3 +49,3 @@ ``` html

		To make sure it loaded properly, open index.html in a browser and type `zxcvbn('Tr0ub4dour&3')` into the console.
		To make sure it loaded properly, open your html in a browser and type `zxcvbn('Tr0ub4dour&3')` into the console.

		@@ -65,7 +69,7 @@ To pull in updates and bug fixes:

		And should automatically work with browserify. The easiest browserify setup is to include `zxcvbn.js` in your main bundle. If script size is an issue, see the [performance](#perf) section below for ways to reduce latency.
		And should automatically work with browserify. The easiest browserify setup is to include zxcvbn in your main bundle. If script size is an issue, see the [performance](#perf) section below for tricks to reduce latency.

		## RequireJS
		## RequireJS

		Add [zxcvbn.js](https://raw.githubusercontent.com/dropbox/zxcvbn/master/lib/zxcvbn.js) to your project (using bower, npm or direct download) and import as usual:
		Add [`zxcvbn.js`](https://raw.githubusercontent.com/dropbox/zxcvbn/master/lib/zxcvbn.js) to your project (using bower, npm or direct download) and import as usual:

		@@ -92,8 +96,8 @@ ``` javascript
		``` javascript
		zxcvbn(password, user_inputs)
		zxcvbn(password, user_inputs=[])
		```

		It takes one required argument, a password, and returns a result object. The result includes a few properties:
		`zxcvbn()` takes one required argument, a password, and returns a result object. The result includes a few properties:

		``` coffeescript
		``` coffee
		result.entropy # bits
		@@ -117,25 +121,25 @@

		The optional `user_inputs` argument is an array of strings that `zxcvbn` will add to its internal dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes the user's personal info can be heavily penalized. This list is also good for site-specific vocabulary -- Acme Brick Co. might want to include ['acme', 'brick', 'acmebrick', etc].
		The optional `user_inputs` argument is an array of strings that zxcvbn will treat as an extra dictionary. This can be whatever list of strings you like, but is meant for user inputs from other fields of the form, like name and email. That way a password that includes a user's personal information can be heavily penalized. This list is also good for site-specific vocabulary — Acme Brick Co. might want to include ['acme', 'brick', 'acmebrick', etc].

		# Performance
		# <a name="perf"></a>Performance

		## runtime latency

		`zxcvbn` usually operates below human perception of delay: ~5-20ms for typical passwords on modern browsers/CPUs, ~100ms for passwords around 100 characters. To bound runtime latency for really long passwords, consider sending `zxcvbn` only the first 100 characters or so of user input.
		zxcvbn operates below human perception of delay for most input: ~5-20ms for ~25 char passwords on modern browsers/CPUs, ~100ms for passwords around 100 characters. To bound runtime latency for really long passwords, consider sending `zxcvbn()` only the first 100 characters or so of user input.

		## script load latency

		`zxcvbn` bundled and minified is about 870kb uncompressed, 350kb gzipped, most of which is dictionaries. Consider these tips if you're noticing page load latency on your site.
		`zxcvbn.js` bundled and minified is about 350kb gzipped or 870kb uncompressed, most of which is dictionaries. Consider these tips if you're noticing page load latency on your site.

		* Make sure your server is configured to compress static assets for browsers that support it. ([Intro + apache/IIS tutorials](http://betterexplained.com/articles/how-to-optimize-your-site-with-gzip-compression/), [nginx tutorial](https://rtcamp.com/tutorials/nginx/enable-gzip/).)
		* Make sure your server is configured to compress static assets for browsers that support it. ([nginx tutorial](https://rtcamp.com/tutorials/nginx/enable-gzip/), [apache/IIS tutorial](http://betterexplained.com/articles/how-to-optimize-your-site-with-gzip-compression/).)

		Then try one of these alternatives:
		Then try one of these alternatives:

		1. Put your `<script src="zxcvbn.js">` tag at the end of your html, just before the closing </body> tag. This insures your page loads and renders before the browser fetches and loads `zxcvbn`. The downside with this approach is `zxcvbn` becomes available later than had it been included in `<head>` -- not an issue on most signup pages where users are filling in other fields first.
		1. Put your `<script src="zxcvbn.js">` tag at the end of your html, just before the closing </body> tag. This insures your page loads and renders before the browser fetches and loads `zxcvbn.js`. The downside with this approach is `zxcvbn()` becomes available later than had it been included in `<head>` — not an issue on most signup pages where users are filling in other fields first.

		2. If you're using requirejs, try keeping `zxcvbn` outside of your main bundle and loading separately. Something to watch out for: if `zxcvbn` is required only inside a keyboard handler waiting for user input, the entire script may be loaded only after the user presses their first key leading to nasty latency. Avoid this by calling your handler once upon page load, independent of user input, such that `zxcvbn` starts downloading in the background earlier.
		2. If you're using requirejs, try loading `zxcvbn.js` separately from your main bundle. Something to watch out for: if `zxcvbn.js` is required inside a keyboard handler waiting for user input, the entire script might be loaded only after the user presses their first key, creating nasty latency. Avoid this by calling your handler once upon page load, independent of user input, such that the `requirejs()` call runs earlier.

		3. Use the HTML5 [`async` script attribute](http://www.w3schools.com/tags/att_script_async.asp). Downside: [doesn't work](http://caniuse.com/#feat=script-async) in IE7-9 or Opera Mini.
		3. Use the HTML5 [`async`](http://www.w3schools.com/tags/att_script_async.asp) script attribute. Downside: [doesn't work](http://caniuse.com/#feat=script-async) in IE7-9 or Opera Mini.

		4. Include an inline `<script>` in `<head>` that asynchronously loads zxcvbn in the background. Despite the extra code I prefer this over (3) because it works in older browsers.
		4. Include an inline `<script>` in `<head>` that asynchronously loads `zxcvbn.js` in the background. Despite the extra code I prefer this over (3) because it works in older browsers.

		@@ -147,4 +151,3 @@ ``` javascript
		(function() {
		// eg. for a standard bower setup, 'bower_components/zxcvbn/zxcvbn.js'
		var ZXCVBN_SRC = 'path/to/zxcvbn.js';
		var ZXCVBN_SRC = 'path/to/zxcvbn.js'; // eg. for a standard bower setup, 'bower_components/zxcvbn/zxcvbn.js'

		@@ -174,7 +177,7 @@ var async_load = function() {

		`zxcvbn` is built with CoffeeScript, browserify, and uglifyjs. CoffeeScript source lives in `src`, which gets compiled, bundled and minified into `lib/zxcvbn.js`.
		zxcvbn is built with CoffeeScript, browserify, and uglifyjs. CoffeeScript source lives in `src`, which gets compiled, bundled and minified in `lib/zxcvbn.js`.

		``` shell
		npm run build # builds lib/zxcvbn.js
		npm run watch # same, but quickly rebuilds as changes are made in src.
		npm run watch # same, but quickly rebuilds as changes are made in src.
		```
		@@ -194,4 +197,4 @@

		Researchers at Concordia University for [studying password meters rigorously](http://www.concordia.ca/cunews/main/stories/2015/03/25/does-your-password-pass-muster.html) and recommending zxcvbn.
		Researchers at Concordia University for [studying password estimation rigorously](http://www.concordia.ca/cunews/main/stories/2015/03/25/does-your-password-pass-muster.html) and recommending zxcvbn.

		And [xkcd](https://xkcd.com/936/) for the inspiration <3
		And [xkcd](https://xkcd.com/936/) for the inspiration :+1::horse::battery::heart:

zxcvbn - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics