User input has no effect on the score

[mimi89999]

Hello,

When I add some values to user input, it has no effect on the score:

$ ./node_modules/.bin/yarn start-ts-file scripts/cli-password-tester.ts "John Smith"
  guessesLog10: 6.178335385971116,
  score: 2,

$ ./node_modules/.bin/yarn start-ts-file scripts/cli-password-tester.ts "John Smith" "John;Smith"
  guessesLog10: 6.178335385971116,
  score: 2,

This is because user input is treated as any other dictionary and added to the word list. However, as the demo suggests: userInputs separated by a comma like John,Smith, this field might be used for providing zxcvbn some info about the user. The Python module describes a similar usage: https://github.com/dwolfhub/zxcvbn-python?tab=readme-ov-file#usage

I would expect it to significantly impact the score. An attacker knowing that the user is named John Smith, is more likely to try variations of those words.

[MrWook]

Hey thanks for the report!

User input is treated as any other dictionary isn't really the problem, as the "guessCount" can't be lower than 1 and if you have a user input dictionary with just a bunch of entries the guess count for this stays pretty low.

The problem from your example is that the algorithm tries to find the longest match in a dictionary and it will find "John Smith" so it ignores the shorter finds for john and smith.
But if you disable the levensthein option it will find john as bruteforce and smith as userinput which is kind of annoying as john is so much lower than the bruteforce.

So it's less of a dictionary issue and more of a bruteforce issue. The bruteforce matcher is increasing the scoring from time to time and was the answer for other issue as well. The Problem is that it's so hard connected to the scoring and not it's own matcher like everything else. Would be nice if we can extract it out of the scoring 🤔