Too high score for special characters

[HaasJona]

With the String "+=&/()!" (without quotes) nbvcxz returns a score of 4/4, entropy of around 35 and 7 brute force matches with an entropy of around 5 each. Which seems kinda overrated.

The online demo on the other hand returns a single brute force match with only a score of 2/4. Which seems more appropriate for a password of only 7 chars. I'm sure even some precomputed rainbow tables go up to 8 normal chars (letters, digits and regular special characters)

[Tostino]

You are correct there. The character set used is limited to special characters, not alphanumeric... The code in the getBruteForceCardinality methods in the BruteForceUtil class are interacting with the changes I made to the matching algorithm to ensure it didn't fall over if it got caught in a local minimum which stopped the original algorithm from finding the true best matches in a ton of cases.

So this will take a little thinking to figure out, but it is solvable.

[Tostino]

So, after checking this out more, it looks like that scoring algorithm changed out from under me when I was originally implementing Nbvcxz and I never noticed: dropbox/zxcvbn@5d7695e

Looks like this will take a bit of work to get scoring for brute force more in-line.