The phrase nothingtoshare scores a 3 on the JS library (can check with https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html). However, this version gives a score of 0:

$strength = {array} [6]
 crack_time = 18.85575
 calc_time = 0.031842947006226
 password = "nothingtoshare"
 entropy = 18.524645010213
 match_sequence = {array} [3]
 score = 0

Similarly n0th1ngt0sh@re also scores 3, but only a 1 here:

$strength = {array} [6]
 crack_time = 509.10525
 calc_time = 0.059408903121948
 password = "n0th1ngt0sh@re"
 entropy = 23.279532512376
 match_sequence = {array} [3]
  0 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
   sub = {array} [3]
   subDisplay = "0 -> o, 1 -> i, 0 -> o, @ -> a"
   l33t = true
   dictionaryName = "english"
   rank = 155
   matchedWord = "nothing"
   password = "n0th1ngt0sh@re"
   begin = 0
   end = 6
   token = "n0th1ng"
   pattern = "dictionary"
   entropy = null
   cardinality = null
  1 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
  2 = {ZxcvbnPhp\Matchers\L33tMatch} [13]
 score = 1

Not sure if the issue is here or with the DropBox lib.

At least 2 tests are failing on 32-bit computer

There were 2 errors:
1) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialMirrorIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:50
2) ZxcvbnPhp\Test\Matchers\MatchTest::testBinomialPascalsTriangleIdentity
TypeError: intdiv(): Argument #1 ($num1) must be of type int, float given
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:158
/builddir/build/BUILDROOT/php-bjeavons-zxcvbn-php-1.3.0-1.fc35.noarch/usr/share/php/ZxcvbnPhp/Matchers/BaseMatch.php:130
/builddir/build/BUILD/zxcvbn-php-5268743bffbb8cd182c98a4e79d6ed87004a6621/test/Matchers/MatchTest.php:62
ERRORS!

I maintain Password Tools, a free opensource add-on for XenForo forum software which uses this library to offer useful password complexity checks.

As part of updating my code to support php 8.1, this library was identified as having compatibility issues.

This change does the following;

• Document a test case which fails on php 7.2/7.3/7.4/8.0 as-is
• Apply php 7.2+ compatible type hinting to drive discovery of bad type handling
  • getGuesses was documented as returning int but could sometimes return a float. This behaviour was corrected, which required adjusting some tests. I failed to see how it returning a float value is very useful.
• Use the null coalescing operator in a few spots to cleanup the code, and then pick non-null defaults which work with the increasingly type-strict php
• A number of php 8.1 compatibility changes, mostly around using null on internal functions which no longer permit it

This should fix a potential PHP warning:

• foreach() argument must be of type array|object, null given in .../vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 214

Changed log

• Add the php-7.4 and php-nightly tests.
• Let php-nightly allow to be failed because nobody can guarantee that unstable PHP version will be successful on every Travis CI build.

Case 1: User input having named keys

It's not uncommon to want to take things like a user's name, username, email address, and other user metadata into account when evaluating password strength. These items may already already be available in a string-keyed array such as ['name' => 'bob', 'email' => '[email protected]']. The present implementation will use the string key as the input rank, which causes an error when attempting to take the log() of it.

This is fixed by setting the rank of any user input that has a string key to whatever its numerical position in the user input array is.

Case 2: Matching user input with rank 0 scoring incorrectly

correct horse battery staple with no user input would score a 4, but the same password with ['c'] as the user input changes the score to 0 (which is obviously not correct). This is because a rank of 0 causes an entropy score of -INF, which causes the crack time to evaluate to 0.

This is fixed by ensuring the minimum rank that can be assigned to a value is 1. Any reasonable number would work, but 1 seemed like a fair default, since the default behavior is to use the array index, and 1 is the lowest nonzero positive integer.

PHP Fatal error: Uncaught Error: [] operator not supported for strings in /vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55

any ideas how to fix this ?

I'm running PHP 7.1.0

I already try : $result['sub_display'][] = "{$password[$i]} -> $t";

but I keep getting the same error :(

Stack trace:
#0 //vendor/bjeavons/zxcvbn-php/src/Matcher.php(27): ZxcvbnPhp\Matchers\L33tMatch::match('T3H-1337-P@$$', Array)
#1 //vendor/bjeavons/zxcvbn-php/src/Zxcvbn.php(53): ZxcvbnPhp\Matcher->getMatches('T3H-1337-P@$$', Array)
#2 //vendor/phpauth/phpauth/Auth.php(187): ZxcvbnPhp\Zxcvbn->passwordStrength('T3H-1337-P@$$')
#3 /index.php(25): PHPAuth\Auth->register('[email protected]', 'T3H-1337-P@$$', 'T3H-1337-P@$$')
#4 {main}
  thrown in //vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php on line 55

Without documented usage of user data argument, php devs would default to passing the array such as

['Marco', '[email protected]']

which fails at dictionary matcher when computing a logarithm of string.

Hi, the password score of JavaScript is not the same as in PHP. I guess that should not be like that?

PHP

array:6 [
  "password" => "1111"
  "score" => 0
]
array:6 [
  "password" => "Monday"
  "score" => 0
]
array:6 [
  "password" => "Mond!ay"
  "score" => 2
]

JavaScript

{
  "password": "111",
  "score": 0
}
{
  "password": "Monday",
  "score": 1
}
{
  "password": "Mond!ay",
  "score": 2
}

Since PHP 7.1.3: this code doesn't work:

$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength("secret");

Error message: "[] operator not supported for strings"

Trace: bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matchers\L33tMatch.php:55 bjeavons\zxcvbn-php\src\ZxcvbnPhp\Matcher.php:27 bjeavons\zxcvbn-php\src\ZxcvbnPhp\Zxcvbn.php:53

When using the library with PHP 7.1, I get this error: PHP Fatal error: Uncaught Error: [] operator not supported for strings in /home/webuser/websites/config.schokokeks.org/htdocs/vendor/bjeavons/zxcvbn-php/src/Matchers/L33tMatch.php:55

The line ist: $result['sub_display'][] = "$password[$i] -> $t";

PHP 7.1 expands the in-string-variable as $password[$i] which is not allowed for strings.

This fix Uncaught TypeError: factorial(): Return value must be of type int, float returned. If the $nparameter in factorial() is bigger than 20, it will cause type error because PHP converts int to float.

Demonstration: https://onlinephp.io/c/3bbad

I don't know if this is a bug or my misunderstanding of the comment in the example, 'echo $weak['feedback']['warning']; // will print user-facing feedback on the password, set only when score <= 2', but I tested with a dictionary word and got back a score of 0 with no warning set:

''' Feb 18 11:43:13 admin php: [password] => everything ... Feb 18 11:43:13 admin php: [sequence] => Array Feb 18 11:43:13 admin php: ( Feb 18 11:43:13 admin php: [0] => ZxcvbnPhp\Matchers\DictionaryMatch Object Feb 18 11:43:13 admin php: ( Feb 18 11:43:13 admin php: [pattern] => dictionary Feb 18 11:43:13 admin php: [dictionaryName] => us_tv_and_film Feb 18 11:43:13 admin php: [rank] => 123 Feb 18 11:43:13 admin php: [matchedWord] => everything Feb 18 11:43:13 admin php: [reversed] => Feb 18 11:43:13 admin php: [l33t] => Feb 18 11:43:13 admin php: [password] => everything Feb 18 11:43:13 admin php: [begin] => 0 Feb 18 11:43:13 admin php: [end] => 9 Feb 18 11:43:13 admin php: [token] => everything Feb 18 11:43:13 admin php: ) Feb 18 11:43:13 admin php: Feb 18 11:43:13 admin php: ) ... Feb 18 11:43:13 admin php: [score] => 0 Feb 18 11:43:13 admin php: [feedback] => Array Feb 18 11:43:13 admin php: ( Feb 18 11:43:13 admin php: [warning] => Feb 18 11:43:13 admin php: [suggestions] => Array Feb 18 11:43:13 admin php: ( Feb 18 11:43:13 admin php: [0] => Add another word or two. Uncommon words are better. Feb 18 11:43:13 admin php: ) Feb 18 11:43:13 admin php: Feb 18 11:43:13 admin php: ) '''

In our project I made the error to check if feedback warning was set as an indication of a score <= 2, so this allowed bypassing the dictionary check - clearly my error, but maybe is a condition that wasn't supposed to happen?

Hello,

I'm currently working on French support and this second PR add gettext usage to allow warning and suggestion messages translation. My modifications:

• use dgettext() to translate warning and suggestion messages from custom text domain ZxcvbnPhp. Note: TimeEstimator::displayTime() method was simplified using dngettext() that handle plural forms.
• Add Locales directory to store translation stuff
• Bind ZxcvbnPhp text domain to Locales directory in Zxcvbn class constructor
• Add extract_messages.sh script that handle messages extractions using xgettext and generate/update Locales/zxcvbn-php.pot file
• Add french translation in Locales/fr_FR.UTF8 directory

This solution permit to easily integrate this library in PHP application that already use gettext for translation. Other applications just have to set locale by setting LANGUAGE environment variable or using setlocale() function.

Hello,

I'm currently working on French support and this first PR add AZERTY keyboard layout support in SpatialMatch. My modifications:

• data-scripts/build_keyboard_adjacency_graphs.py:
  • switch to unicode to allow to handle not-ascii characters in keyboad layouts
  • make some assertion errors more explicit
  • add AZERTY keyboard layout
• src/Matchers/SpatialMatch.php: add AZERTY keyboard layout
• src/Matchers/adjacency_graphs.json: update it using new build_keyboard_adjacency_graphs.py script to add AZERTY keyboard layout

Hello,

Dictionary location is hard-coded in code. As I'm using composer to install/update, I can't update it. Could you please allow a parameter to be able to specify dictionary location?

thanks