It certainly needs more tweaking. FJ, FJFJ, etc isn't in any of the 10k password... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lowe on April 10, 2012 \| parent \| context \| favorite \| on: Zxcvbn: realistic password strength estimation It certainly needs more tweaking. FJ, FJFJ, etc isn't in any of the 10k passwords people commonly use, isn't a sequence, isn't a single repeated character, etc, so zxcvbn recognizes it as bruteforce. A fun extension would be to recognize repeated chunks in addition to single characters.

onions on April 10, 2012 [–]

One thing would be to try to measure entropy in a different way, e.g. run gzip on it. Right now FJFJFJFJ has the same entropy as FJGJFJGJ.

lowe on April 10, 2012 | [–]

That's a great idea. More generally, whatever the approach, I agree zxcvbn would be better with a more conservative rating for non-pattern-matched regions.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact