Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correctly handle site-specific words being removed #4

Open
blaseur opened this issue May 8, 2017 · 3 comments
Open

Correctly handle site-specific words being removed #4

blaseur opened this issue May 8, 2017 · 3 comments
Labels

Comments

@blaseur
Copy link
Contributor

blaseur commented May 8, 2017

We handle site-specific words (e.g., "pittsburgh" in the demo) by removing them from the password before further scoring the password.

Subsequent heuristics can thus be operating on an empty password, resulting in strange feedback. (Note: to reproduce the example below, set "active: false," in the "forbidPasswords" part of the composition policy in /example/index.html)

screenshot from 2017-05-07 21 47 02

@lujobauer lujobauer added the bug label May 8, 2017
@blaseur
Copy link
Contributor Author

blaseur commented May 8, 2017

You can reproduce this bug without turning off the blacklist if you concatenate multiple site-specific words:

e.g., "steelerspittsburgh"

@blaseur
Copy link
Contributor Author

blaseur commented May 8, 2017

The cause is that we effectively give "zero credit" for site-specific words by removing them from the password before further evaluating it... which is why steelers22 has length 2 as far as the other parts are concerned

@jpgoldberg
Copy link

It's an interesting problem, and I have no pretty idea of how to solve it short of building a site specific NN. ("pretty" and "tenable" are not always the same.)

I wonder what would happen if you replaced site specific words with a string that yields close to zero credit, such as "password" or "123". This isn't a very principled way to deal with the problem, but it at the cost of some accuracy, it might have less perverse side-effects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants