zxcvbn.js is old

[muranyia]

wp-includes/js/zxcvbn.min.js is version 1.0 and rather old.
I don't know about other issues but it contains an invalid ("blah-blah") dictionary. For example:

o("male_names",r("wnzrf,wbua,eboreg,zvpunry,jvyyvnz,qnivq,evpuneq,puneyrf,..."))

See ​https://github.com/dropbox/zxcvbn/blob/master/zxcvbn.js for an up-to-date version.

[ocean90]

Replying to muranyia:

I don't know about other issues but it contains an invalid ("blah-blah") dictionary.

We are using ROT13 for the word dictionaries see [25156].

The only change seems to be ​https://github.com/dropbox/zxcvbn/commit/482ed03a10779ec125100721c2d828b97abf9ea6.

[swissspidy]

There were quite some changes to the library recently. The current version is 3.5.0.

[muranyia]

As of Wordpress 4.6.1 zxcvbn.js is still version 1.0. The current version is 4.4.0.

[pento]

#39260 was marked as a duplicate.

[pento]

31647.diff​ is the diff against zxcvbn master, to transform the word lists into a ROT13 version.

[pento]

In 39596:

Libraries: Update zxcvbn from version 1.0 to 4.4.1

This includes masses of bug fixes, as well as tweaks to how passwords are scored.

QUnit tests have been updated to reflect tha scoring changes.

Full changelog: ​https://github.com/dropbox/zxcvbn/compare/v1.0...v4.4.1

Fixes #31647.

[jrchamp]

@pento Is there any concern that the rot13 is negatively affecting the accuracy of the password strength evaluation? Specifically, won't this also affect the "keyboard layout" aka adjacency_graphs?

In case changes are needed, it might be worthwhile to also update the copyright line which was changed to "2012-2016 Dan Wheeler and Dropbox, Inc." in upstream.

Thank you for taking a look!

[Otto42]

@jrchamp ROT13 is reversible. The various lists are converted back to normal in memory before those lists are actually used, so this adjustment is basically a null change with zero impact. The only reason for doing the ROT13 is to hide the "naughty" parts of the password list from normal scanners and other tools that might see and/or block "bad words".

This ROT13 version otherwise operates identically to the original in every way.

[jrchamp]

@Otto42 Technically, the lists are not converted back to normal before use. They are only converted during use of the zxcvbn() function and stored in a temporary variable (meaning that the conversion must happen for each call to this function). The dictionary lists themselves are never modified, which is why matching.dictionary_match() is modified to ROT13 the password being checked so that the ROT13 substrings may be used against the dictionary lists directly (and the matching substring must then be re-ROT13'd to return the raw matching value). As long as no other code/functions directly access the dictionary lists, it should work fine, but this seems like a somewhat fragile assumption unless careful evaluation is done during each upgrade.

To answer my own question, the adjacency_graphs/spatial_match checks operate on the original user supplied password and do not appear to interact with the dictionaries directly. The main.coffee's misleading variable name "user_inputs" is not related to user input, but rather an optional dictionary list override.