zxcvbn-extra 1.0.4

.NET 6.0 .NET Standard 2.0
dotnet add package zxcvbn-extra --version 1.0.4
NuGet\Install-Package zxcvbn-extra -Version 1.0.4
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="zxcvbn-extra" Version="1.0.4" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add zxcvbn-extra --version 1.0.4
#r "nuget: zxcvbn-extra, 1.0.4"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install zxcvbn-extra as a Cake Addin
#addin nuget:?package=zxcvbn-extra&version=1.0.4

// Install zxcvbn-extra as a Cake Tool
#tool nuget:?package=zxcvbn-extra&version=1.0.4

Zxcvbn C#/.NET

NuGet License .NET

This is a fork of Zxcvbn-cs - a port of the Zxcvbn JavaScript password strength estimation library to .NET, written in C#.

From the Zxcvbn readme:

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, > common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

  • More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
  • More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictaBle.
  • More usable: zxcvbn is designed to power simple, rule-free interfaces that give instant feedback. In addition to strength estimation, zxcvbn includes minimal, targeted verbal feedback that can help guide users towards less guessable passwords.

For further detail and motivation, please refer to the USENIX Security '16 paper and presentation.

This fork aims to restore old feature - calculating password entropy. This feature was removed in Zxcvbn 4.0.1 release. In my opinion, entropy is more useful and helpful to end-user than Guesses or GuessesLog10. You can build your own scoring system based on entropy. This can be helpful to create a password-strenght color bar.

Using Zxcvbn-cs

The included Visual Studio project will create a single assembly, Zxcvbn.dll, which is all that is required to be included in your project.

To evaluate a password:

using Zxcvbn;

var result = Zxcvbn.Core.EvaluatePassword("p@ssw0rd");

EvaluatePassword takes an optional second parameter that contains an enumerable of user data strings to also match the password against.

Interpreting Results

The Result structure returned from password evaluation is interpreted the same way as with JS Zxcvbn.

  • result.CalcTime - how long it took zxcvbn to calculate an answer, in milliseconds
  • result.CrackTime - dictionary of back-of-the-envelope crack time estimations, in seconds, based on a few scenarios:
    • OfflineFastHashing1e10PerSecond - offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5. A wide range of reasonable numbers anywhere from one billion - one trillion guesses per second, depending on number of cores and machines. Ballparking at 10B/sec
    • OfflineSlowHashing1e4PerSecond - offline attack. assumes multiple attackers, proper user-unique salting, and a slow hash function w/ moderate work factor, such as bcrypt, scrypt, PBKDF2
    • OnlineNoThrottling10PerSecond - online attack on a service that doesn't ratelimit, or where an attacker has outsmarted ratelimiting
    • OnlineThrottling100PerHour - online attack on a service that ratelimits password auth attempts
  • result.CrackTimeDisplay - same keys as result.CrackTime, with friendlier display string values: 'less than a second', '3 hours', 'centuries', etc.
  • result.Entropy - password entropy in bits
  • result.Feedback - the password that was used to generate these results
    • Warning - explains what's wrong, eg. 'this is a top-10 common password'. Sometimes an empty string
    • Suggestions - a possibly-empty IList<string> of suggestions to help choose a less guessable password, eg. 'Add another word or two'
  • result.Guesses - estimated guesses needed to crack password
  • result.GuessesLog10 - order of magnitude of result.Guesses
  • result.MatchSequence - the IEnumerable<Match> list of patterns that zxcvbn based the guess calculation on
  • result.Password - the password that was used to generate these results
result.Score Description Guesses
0 Too guessable: risky password < 10^3
1 Very guessable: protection from throttled online attacks < 10^6
2 Somewhat guessable: protection from unthrottled online attacks < 10^8
3 Safely unguessable: moderate protection from offline slow-hash scenario < 10^10
4 Very unguessable: strong protection from offline slow-hash scenario >= 10^10

Zxcvbn-CS vs Zxcvbn-JS vs KeePass vs KeePassXC

This table shows entropy results from different programs

Password Zxcvbn-JS KeePass KeePassXC Zxcvbn-CS
t 4.7 4.7 5 3.32
t4 3.7 8.492 11 4.7
t3XKczXFIOrqHRr_ 85.008 90.578 92 91.96
t3XKczXFIOrqHRr_t3XKczXFIOrqHRr 163.447 174.587 102 179.85
+wq)tIw6gb4]Uh@"-E(= 141.289 115.203 127 120.62
zK_f7M(#"W-?4AyN6g} 131.397 124.901 131 128.7
89673460696657893304 12.07 61.146 60 63.56
acegikmoqsuwy 0 55.027 9 4.7
Abracadabra 13.519 15.013 8 13.51
abraCadaBra 18.585 20.029 10 18.57
ab®a©@daBra 53.436 49.83 19 56
.Abracadabram!67 33.229 43.293 41 40.12
77starTrek-sta®w@rs!$ 47.098 76.686 63 66.87
hyevwfzfgyrlyafozwatdhujxlyltfdr 79.907 134.373 135 138.67
Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.
  • .NETStandard 2.0

    • No dependencies.
  • net6.0

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.0.4 1,399 5/5/2022
1.0.3 389 2/23/2022
1.0.2 376 2/23/2022
1.0.1 383 2/23/2022
1.0.0 230 1/11/2022