zxcvbn-rs

zxcvbn-rs copied to clipboard

Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

• https://github.com/twosixlabs/acsploit
• https://github.com/GoSimpleLLC/nbvcxz/issues/60

I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.

Thanks for mentioning this! This implementation should be safe as it does only check the first 100 characters, the assumption being that if you have a password longer than that, it's probably pretty secure. But this tool seems useful, I'll grab it and run some testing as well.

Thanks for checking. Do try and ensure your implementation isn't vulnerable even with the character limit. The TS port was grinding to a halt after ~20 characters and required additional algorithmic changes.

After local testing, I can confirm this library is safe against acsploit. It takes approximately 263ms on a release build for the exploit.

Thanks for confirming @jun-sheaf ! I'll mark this as closed then.