acsploit #60

Tostino · 2021-06-18T00:26:06Z

I noticed that nbvcxz was mentioned as being targeted by: https://github.com/twosixlabs/acsploit

Ensure the generated passwords don't cause issues.

Tostino · 2023-01-26T15:02:19Z

Their password to check against us is now no problem, it's taken care of by the max length configuration implemented here: c387d54

The code that generated this password: https://github.com/twosixlabs/acsploit/blob/fd5602adf9f312482b8010abf6b4691f08929bc4/acsploit/exploits/passwords/zxcvbn.py

It still takes ~400ms to calculate, but that can can be worked on separately. This got rid of the pathological case by default.

----------------------------------------------------------
Commands: estimate password (e); generate password (g); quit (q)
Please enter your command:
e
Please enter the password to estimate:
4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/
----------------------------------------------------------
Time to calculate: 417 ms
Password: 4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7
Full Password: 4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/
Entropy: 313.24486188414727
Your password meets the minimum strength requirement.
Time to crack: ONLINE_THROTTLED: infinite (>100000 centuries)
Time to crack: ONLINE_UNTHROTTLED: infinite (>100000 centuries)
Time to crack: OFFLINE_ARGON2_ID: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_14: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_12: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_10: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_8: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_5: infinite (>100000 centuries)
Time to crack: OFFLINE_SHA512: infinite (>100000 centuries)
Time to crack: OFFLINE_SHA1: infinite (>100000 centuries)
Time to crack: OFFLINE_MD5: infinite (>100000 centuries)
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 4
Start Index: 0
End Index: 0
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: @
Start Index: 1
End Index: 1
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 8
Start Index: 2
End Index: 2
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: (
Start Index: 3
End Index: 3
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: {
Start Index: 4
End Index: 4
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: [
Start Index: 5
End Index: 5
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: <
Start Index: 6
End Index: 6
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 7
End Index: 7
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 3
Start Index: 8
End Index: 8
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 6
Start Index: 9
End Index: 9
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 9
Start Index: 10
End Index: 10
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: &
Start Index: 11
End Index: 11
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: #
Start Index: 12
End Index: 12
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: !
Start Index: 13
End Index: 13
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 1
Start Index: 14
End Index: 14
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 15
End Index: 15
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: |
Start Index: 16
End Index: 16
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 0
Start Index: 17
End Index: 17
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: $
Start Index: 18
End Index: 18
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 5
Start Index: 19
End Index: 19
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: +
Start Index: 20
End Index: 20
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 7
Start Index: 21
End Index: 21
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: %
Start Index: 22
End Index: 22
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 2
Start Index: 23
End Index: 23
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 24
End Index: 24
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 4
Start Index: 25
End Index: 25
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: @
Start Index: 26
End Index: 26
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 8
Start Index: 27
End Index: 27
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: (
Start Index: 28
End Index: 28
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: {
Start Index: 29
End Index: 29
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: [
Start Index: 30
End Index: 30
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: <
Start Index: 31
End Index: 31
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 32
End Index: 32
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 3
Start Index: 33
End Index: 33
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 6
Start Index: 34
End Index: 34
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 9
Start Index: 35
End Index: 35
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: &
Start Index: 36
End Index: 36
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: #
Start Index: 37
End Index: 37
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: !
Start Index: 38
End Index: 38
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 1
Start Index: 39
End Index: 39
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 40
End Index: 40
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: |
Start Index: 41
End Index: 41
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 0
Start Index: 42
End Index: 42
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: $
Start Index: 43
End Index: 43
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 5
Start Index: 44
End Index: 44
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: +
Start Index: 45
End Index: 45
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 7
Start Index: 46
End Index: 46
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: %
Start Index: 47
End Index: 47
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 2
Start Index: 48
End Index: 48
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 49
End Index: 49
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 4
Start Index: 50
End Index: 50
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: @
Start Index: 51
End Index: 51
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 8
Start Index: 52
End Index: 52
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: (
Start Index: 53
End Index: 53
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: {
Start Index: 54
End Index: 54
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: [
Start Index: 55
End Index: 55
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: <
Start Index: 56
End Index: 56
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 57
End Index: 57
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 3
Start Index: 58
End Index: 58
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 6
Start Index: 59
End Index: 59
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 9
Start Index: 60
End Index: 60
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: &
Start Index: 61
End Index: 61
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: #
Start Index: 62
End Index: 62
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: !
Start Index: 63
End Index: 63
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 1
Start Index: 64
End Index: 64
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: /
Start Index: 65
End Index: 65
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: |
Start Index: 66
End Index: 66
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 0
Start Index: 67
End Index: 67
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: $
Start Index: 68
End Index: 68
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 5
Start Index: 69
End Index: 69
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 5.044394119358453
Token: +
Start Index: 70
End Index: 70
Length: 1
-----------------------------------
Match Type: BruteForceMatch
Entropy: 3.3219280948873626
Token: 7
Start Index: 71
End Index: 71
Length: 1
----------------------------------------------------------
Commands: estimate password (e); generate password (g); quit (q)
Please enter your command:

Tostino · 2023-01-27T18:58:23Z

As @formigarafa mentioned here: #74 (comment) I went an implemented a check for dictionary max length to short cut a lot of logic.

In the dev branch, this is now running in ~70ms with the password limited to 256 characters total:

Commands: estimate password (e); generate password (g); quit (q)
Please enter your command:
e
Please enter the password to estimate:
4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/
----------------------------------------------------------
Time to calculate: 70 ms
Password: 4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[
Full Password: 4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/
Entropy: 1115.6733600597117
Your password meets the minimum strength requirement.
Time to crack: ONLINE_THROTTLED: infinite (>100000 centuries)
Time to crack: ONLINE_UNTHROTTLED: infinite (>100000 centuries)
Time to crack: OFFLINE_ARGON2_ID: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_14: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_12: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_10: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_8: infinite (>100000 centuries)
Time to crack: OFFLINE_BCRYPT_5: infinite (>100000 centuries)
Time to crack: OFFLINE_SHA512: infinite (>100000 centuries)
Time to crack: OFFLINE_SHA1: infinite (>100000 centuries)
Time to crack: OFFLINE_MD5: infinite (>100000 centuries)
-----------------------------------

Tostino · 2023-01-27T20:48:47Z

There was another exploit mentioned in the main zxcvbn repo: dropbox/zxcvbn#327

This has to do with the lazyAnchored check we do in the repeat matcher, but it isn't being hit for us now as mentioned in that thread.

Tostino · 2023-01-28T08:13:03Z

I found a blog post explaining the exploit from the authors: https://twosixtech.com/algorithmic-complexity-vulnerabilities-an-introduction/

Tostino closed this as completed Jan 26, 2023

Tostino mentioned this issue Jan 26, 2023

DOS Exploit nulab/zxcvbn4j#130

Open

Tostino reopened this Jan 26, 2023

Tostino mentioned this issue Jan 27, 2023

Add maxLength configuration and fix DOS exploit #76

Merged

Tostino mentioned this issue Jan 31, 2023

Implemented an "unmunger" #55

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

acsploit #60

acsploit #60

Tostino commented Jun 18, 2021

Tostino commented Jan 26, 2023 •

edited

Loading

Tostino commented Jan 27, 2023

Tostino commented Jan 27, 2023

Tostino commented Jan 28, 2023

acsploit #60

acsploit #60

Comments

Tostino commented Jun 18, 2021

Tostino commented Jan 26, 2023 • edited Loading

Tostino commented Jan 27, 2023

Tostino commented Jan 27, 2023

Tostino commented Jan 28, 2023

Tostino commented Jan 26, 2023 •

edited

Loading