Because an accurate summary would actually summarize what they said, not just list their bias. I would summarize it as, "The Dropbox team prefers the readability of Coffeescript, the conversion took one week, they reduced the lines of code in their codebase by 20%, and there was no impact on functionality."
$^$^$^_ and $^$^$^z are both recognized by zxcvbn as bruteforce regions. it reports the entropy as:
n log (c)
for a length-n password with symbol space c.
the huge difference in crack time is because zxcvbn is using c==33 (symbols only) for $^$^$^_ and c==59 (symbols + a-z) for $^$^$^z
$^$^$^i is in the middle -- 'i' is considered a dictionary match, the rest is c==59 bruteforce.
the bigger problem is $^$^$^ isn't recognized as a pattern, but i'm working on ways to improve bruteforce estimation too. good example!
zxcvbn's current analysis for 'correcthorsebatterystaple' vs 'correct horse battery staple' looks about right to me, it's counting each space as an extra bruteforce character.
horsebattery vs 'h orsebattery', on the other hand, shows a clear flaw -- it doesn't tolerate misspellings up to a given edit distance. edit distance is tricky because efficient word segmentation gets much harder, especially w/ support for l33t substitutions.
'abcde' vs 'a b c d e' is tricky too. i could add special case for spaces only that would allow zxcvbn to recognize 'a b c d e' as a sequence, but it wouldn't cover 'a-b-c-d-e', 'a8b8c8d8e' etc.
zxcvbn gives high entropy for emails because it isn't matching against them currently. if there's good evidence that people commonly use emails as passwords (and crackers try emails as guesses!) it'd be a great pattern to add.
It certainly needs more tweaking. FJ, FJFJ, etc isn't in any of the 10k passwords people commonly use, isn't a sequence, isn't a single repeated character, etc, so zxcvbn recognizes it as bruteforce.
A fun extension would be to recognize repeated chunks in addition to single characters.
That's a great idea. More generally, whatever the approach, I agree zxcvbn would be better with a more conservative rating for non-pattern-matched regions.
Huh, thanks! I suspected it was a security thing, but I've seen some sites where other non-alphaneumeric characters were disallowed as well. :/ At least this makes some sense.
