What does HackerNews think of zxcvbn?

Low-Budget Password Strength Estimation

Language: CoffeeScript

> except for ZXCVBN

You mean the Low-Budget Password Strength Estimator?

https://github.com/dropbox/zxcvbn

Yeah, that name is totally legit.

We took a similar approach to passphrase stretching in EnvKey v1 [1] (EnvKey is a secrets manager, not a password manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the generally recommended levels, as well as Dropbox's zxcvbn [2] lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to using high entropy device-based keys for our root encryption keys. It's a similar model to SSH, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrase can optionally be added on top of the device key.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

> There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.

Author here.

I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)

My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727

However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!

> I notice the article stopped citing examples of large-scale password cracking after the introduction of PBKDF2.

At that point, I figured the point had been made already, and wanted to focus on the algorithms.

> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.

I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.

As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.

PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.

> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?

I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work? I could be confusing it with another thing though.

Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.

In the meantime, here's some cool stuff:

https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)

https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)