> This is a gem that checks the strength of a user-submitted password Does it, t...

fasterdom · on July 7, 2019

Indeed, replacing this with the list of top 100 passwords would be much more effective.

cyphar · on July 7, 2019

Or, alternatively, switching to the haveibeenpwned API[1] or zxcvbn[2].

[1]: https://haveibeenpwned.com/API/v2 [2]: https://github.com/dropbox/zxcvbn

alister · on July 7, 2019

It seems to do that too (comparing against a list of the top 500 passwords):

https://github.com/bdmac/strong_password/blob/master/lib/str...

senorprogrammer · on July 8, 2019

A long time ago I made a gem that does pretty much this: https://github.com/senorprogrammer/pil

If you want this functionality, I recommend not using it as-is, given the security vuln GitHub is currently reporting. Rather, anyone has my permission to copy the code verbatim into your project. It's a pretty simple gem.

audience_mem · on July 8, 2019

Could you clarify?

Is the algorithm deficient?

To me that looks like code that indeed checks the strength, so I must be missing something.

pharrington · on July 9, 2019

It checks the length of a password, along with an arbitrary scalar for repeated characters. It does not do any entropy calculations.

The writer of that code at least needs to read https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpubli... one more time.