zxcvbn-ruby 1.4.0 → 2.0.0

data/lib/zxcvbn/omnimatch.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'zxcvbn/dictionary_ranker'
+require 'zxcvbn/trie'
 require 'zxcvbn/matchers/dictionary'
 require 'zxcvbn/matchers/l33t'
 require 'zxcvbn/matchers/spatial'
@@ -11,40 +12,88 @@ require 'zxcvbn/matchers/year'
 require 'zxcvbn/matchers/date'
 
 module Zxcvbn
+  # Runs all registered matchers against a password and aggregates results.
+  #
+  # Includes dictionary, l33t, spatial, digit, repeat, sequence, year, date,
+  # and reverse-dictionary matchers. User-supplied word lists are wrapped in
+  # transient matchers for each call to {#matches}.
+  # @api private
   class Omnimatch
+    # @param data [Data] loaded frequency lists and adjacency graphs
     def initialize(data)
       @data = data
-      @matchers = build_matchers
+      dicts = data.dictionaries
+      @dictionary_matchers = dicts.ranked.map do |name, dictionary|
+        Matchers::Dictionary.new(name, dictionary, dicts.tries[name]).freeze
+      end.freeze
+      @matchers = build_matchers.each(&:freeze).freeze
     end
 
-    def matches(password, user_inputs = [])
-      matchers = @matchers + user_input_matchers(user_inputs)
-      matchers.map do |matcher|
-        matcher.matches(password)
-      end.inject(&:+)
+    # Returns all matches found in the password across every registered matcher.
+    #
+    # @param password [String] the password to analyse
+    # @param user_inputs [Array<String>] caller-supplied words to add as a dictionary
+    # @param reference_year [Integer] year used by the date matcher to pick the closest
+    #   candidate; shared with the scorer so both phases agree even across midnight
+    # @return [Array<MatchBuilder>]
+    def matches(password, user_inputs = [], reference_year: Time.now.year)
+      user_dictionary =
+        user_inputs.any? && Matchers::Dictionary.new('user_inputs', DictionaryRanker.rank_dictionary(user_inputs))
+      matchers = @matchers + user_input_matchers(user_dictionary)
+      all_matches = matchers.flat_map do |matcher|
+        case matcher
+        when Matchers::Date
+          matcher.matches(password, reference_year:)
+        else
+          matcher.matches(password)
+        end
+      end
+      all_matches + reverse_dictionary_matches(password, user_dictionary)
     end
 
     private
 
-    def user_input_matchers(user_inputs)
-      return [] unless user_inputs.any?
+    def user_input_matchers(user_dictionary)
+      return [] unless user_dictionary
 
-      user_ranked_dictionary = DictionaryRanker.rank_dictionary(user_inputs)
-      dictionary_matcher = Matchers::Dictionary.new('user_inputs', user_ranked_dictionary)
-      l33t_matcher = Matchers::L33t.new([dictionary_matcher])
-      [dictionary_matcher, l33t_matcher]
+      [user_dictionary, Matchers::L33t.new([user_dictionary])]
     end
 
-    def build_matchers
-      matchers = []
-      dictionary_matchers = @data.ranked_dictionaries.map do |name, dictionary|
-        trie = @data.dictionary_tries[name]
-        Matchers::Dictionary.new(name, dictionary, trie)
+    # Run dictionary matchers on the reversed password and flip match positions
+    # back to the original password's coordinate space.
+    #
+    # This catches passwords like "drowssap" (reversed "password").
+    # Each returned match has reversed: true and its token restored to the
+    # original (un-reversed) form.
+    #
+    # @param password [String] the original password
+    # @param user_dictionary [Matchers::Dictionary, nil] pre-built user input matcher
+    # @return [Array<MatchBuilder>] dictionary matches found in the reversed password
+    def reverse_dictionary_matches(password, user_dictionary)
+      reversed = password.reverse
+      n = password.length
+
+      matchers = @dictionary_matchers
+      matchers += [user_dictionary] if user_dictionary
+
+      matches = []
+      matchers.each do |matcher|
+        matcher.matches(reversed).each do |match|
+          match.token    = match.token.reverse
+          match.reversed = true
+          old_i  = match.i
+          old_j  = match.j
+          match.i = n - 1 - old_j
+          match.j = n - 1 - old_i
+          matches << match
+        end
       end
-      l33t_matcher = Matchers::L33t.new(dictionary_matchers)
-      matchers += dictionary_matchers
-      matchers += [
-        l33t_matcher,
+      matches
+    end
+
+    def build_matchers
+      @dictionary_matchers + [
+        Matchers::L33t.new(@dictionary_matchers),
         Matchers::Spatial.new(@data.adjacency_graphs),
         Matchers::Digits.new,
         Matchers::Repeat.new,
@@ -52,7 +101,6 @@ module Zxcvbn
         Matchers::Year.new,
         Matchers::Date.new
       ]
-      matchers
     end
   end
 end

data/lib/zxcvbn/ruby.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'zxcvbn'

data/lib/zxcvbn/score.rb

@@ -1,17 +1,41 @@
 # frozen_string_literal: true
 
 module Zxcvbn
-  class Score
-    attr_accessor :entropy, :crack_time, :crack_time_display, :score, :pattern,
-                  :match_sequence, :password, :calc_time, :feedback
+  # The result of analysing a password — returned by {Zxcvbn.test}.
+  #
+  # @!attribute [r] password
+  #   @return [String] the password that was evaluated
+  # @!attribute [r] guesses
+  #   @return [Numeric] estimated number of guesses to crack the password
+  # @!attribute [r] sequence
+  #   @return [Array<Match>] the optimal match sequence
+  # @!attribute [r] crack_times_seconds
+  #   @return [Hash{String => Float}] crack time in seconds per attack scenario
+  # @!attribute [r] crack_times_display
+  #   @return [Hash{String => String}] human-readable crack times per scenario
+  # @!attribute [r] score
+  #   @return [Integer] 0–4 score (0 = very weak, 4 = very strong)
+  # @!attribute [r] calc_time
+  #   @return [Float, nil] time taken to evaluate, in seconds
+  # @!attribute [r] feedback
+  #   @return [Feedback, nil] human-readable feedback for low-scoring passwords
+  Score = ::Data.define(
+    :password, :guesses, :sequence, :crack_times_seconds,
+    :crack_times_display, :score, :calc_time, :feedback
+  ) do
+    def initialize(calc_time: nil, feedback: nil, **kwargs)
+      super(calc_time:, feedback:, **kwargs)
+    end
+
+    # @return [String] a human-readable representation omitting nil fields and password
+    def inspect
+      fields = to_h.reject { |k, v| v.nil? || k == :password }.map { |k, v| "#{k}=#{v.inspect}" }.join(', ')
+      "#<data #{self.class} #{fields}>"
+    end
 
-    def initialize(options = {})
-      @entropy            = options[:entropy]
-      @crack_time         = options[:crack_time]
-      @crack_time_display = options[:crack_time_display]
-      @score              = options[:score]
-      @match_sequence     = options[:match_sequence]
-      @password           = options[:password]
+    # @return [Float, nil] log10 of {#guesses}, or nil if guesses is not set
+    def guesses_log10
+      ::Math.log10(guesses) if guesses
     end
   end
 end

data/lib/zxcvbn/scorer.rb

@@ -1,104 +1,171 @@
 # frozen_string_literal: true
 
-require 'zxcvbn/entropy'
+require 'zxcvbn/guesses'
 require 'zxcvbn/crack_time'
 require 'zxcvbn/score'
-require 'zxcvbn/match'
+require 'zxcvbn/match_builder'
 
 module Zxcvbn
+  # Finds the match sequence that minimises the total number of guesses
+  # required to crack a password, using dynamic programming.
+  # @api private
   class Scorer
-    def initialize(data)
+    include Guesses
+    include CrackTime
+
+    # Hash{Integer => Float} — factorial lookup for the DP hot loop.
+    # Keys must be non-negative integers. Precomputed to 170 (the last value
+    # before overflow); returns Float::MAX for any key > 170.
+    FACTORIAL = (0..170).each_with_object(Hash.new { Float::MAX }) do |n, h|
+      h[n] = n < 2 ? 1.0 : h[n - 1] * n
+    end.freeze
+
+    # Hash{Integer => Float} — powers of {MIN_GUESSES_BEFORE_GROWING_SEQUENCE} for
+    # the additive sequence-length penalty. Keys must be non-negative integers.
+    # Precomputed to 77 (the last value before overflow); returns Float::MAX for
+    # any key > 77.
+    MIN_GUESSES_POW = (0..77).each_with_object(Hash.new { Float::MAX }) do |n, h|
+      h[n] = MIN_GUESSES_BEFORE_GROWING_SEQUENCE.to_f**n
+    end.freeze
+
+    private_constant :FACTORIAL, :MIN_GUESSES_POW
+
+    # @param data [Data] the loaded frequency list and graph data
+    # @param omnimatch [Omnimatch] shared omnimatch instance
+    # @param reference_year [Integer] year used for date/year guess calculations
+    def initialize(data, omnimatch, reference_year)
       @data = data
+      @omnimatch = omnimatch
+      @reference_year = reference_year
+      @repeat_cache = {}
     end
 
     attr_reader :data
 
-    include Entropy
-    include CrackTime
+    # Find the match sequence that minimises total guesses for a password.
+    #
+    # Uses a DP over positions in the password. At each position k and sequence
+    # length l, the total cost is:
+    #   factorial(l) * product_of_guesses + MIN_GUESSES^(l-1)
+    #
+    # The additive penalty discourages padding attacks where an adversary
+    # splits a password into many low-guesses submatches.
+    #
+    # @param password [String] the password to analyse
+    # @param matches [Array<MatchBuilder>] candidate matches from the matchers
+    # @param exclude_additive [Boolean] omit the sequence-length penalty
+    #   (used when recursively analysing repeat base tokens)
+    # @return [Score] the optimal score with match sequence and guess count
+    def most_guessable_match_sequence(password, matches, exclude_additive: false)
+      n = password.length
+
+      return build_score(password, [], 1.0) if n.zero?
+
+      # index matches by their last character
+      matches_by_j = Array.new(n) { [] }
+      matches.each { |m| matches_by_j[m.j] << m }
+      matches_by_j.each { |arr| arr.sort_by!(&:i) }
+
+      # m[k][l]       = best match for a sequence of l matches ending at position k
+      # pi_float[k][l] = cumulative guess product for those l matches as Float (avoids Bignum
+      #                  integer multiplication; each step is Integer × Float → Float)
+      # g[k][l]        = total guesses (FACTORIAL[l] * pi_float + penalty) as Float
+      # g_log10[k][l]  = log10(g[k][l]), used for dominance comparisons (small Float vs Float)
+      m        = Array.new(n) { {} }
+      pi_float = Array.new(n) { {} }
+      g        = Array.new(n) { {} }
+      g_log10  = Array.new(n) { {} }
+
+      update = lambda do |match, l|
+        j       = match.j
+        est     = estimate_guesses(match, password)
+        pi_prev = l > 1 ? pi_float[match.i - 1][l - 1] : 1.0
+        candidate = FACTORIAL[l] * est * pi_prev
+        candidate += MIN_GUESSES_POW[l - 1] unless exclude_additive
+        candidate_log10 = ::Math.log10(candidate)
+        # only improve if no sequence of length <= l ending at j already beats candidate
+        return if g_log10[j].any? { |u, a| u <= l && a <= candidate_log10 }
+
+        g[j][l]         = candidate
+        g_log10[j][l]   = candidate_log10
+        m[j][l]         = match
+        pi_float[j][l]  = est * pi_prev
+      end
+
+      make_bruteforce = lambda do |i, j|
+        MatchBuilder.new(pattern: 'bruteforce', i:, j:)
+      end
 
-    def minimum_entropy_match_sequence(password, matches)
-      bruteforce_cardinality = bruteforce_cardinality(password) # e.g. 26 for lowercase
-      up_to_k = [] # minimum entropy up to k.
-      # for the optimal sequence of matches up to k, holds the final match (match.j == k).
-      # null means the sequence ends w/ a brute-force character.
-      backpointers = []
-      (0...password.length).each do |k|
-        # starting scenario to try and beat: adding a brute-force character to the minimum entropy sequence at k-1.
-        previous_k_entropy = k.positive? ? up_to_k[k - 1] : 0
-        up_to_k[k] = previous_k_entropy + lg(bruteforce_cardinality)
-        backpointers[k] = nil
-        matches.select do |match|
-          match.j == k
-        end.each do |match|
-          i = match.i
-          j = match.j
-          # see if best entropy up to i-1 + entropy of this match is less than the current minimum at j.
-          previous_i_entropy = i.positive? ? up_to_k[i - 1] : 0
-          candidate_entropy = previous_i_entropy + calc_entropy(match)
-          if up_to_k[j] && candidate_entropy < up_to_k[j]
-            up_to_k[j] = candidate_entropy
-            backpointers[j] = match
+      (0...n).each do |k|
+        matches_by_j[k].each do |match|
+          if match.i.positive?
+            m[match.i - 1].each_key { |l| update.call(match, l + 1) }
+          else
+            update.call(match, 1)
           end
         end
-      end
 
-      # walk backwards and decode the best sequence
-      match_sequence = []
-      k = password.length - 1
-      while k >= 0
-        match = backpointers[k]
-        if match
-          match_sequence.unshift match
-          k = match.i - 1
-        else
-          k -= 1
+        # try bruteforce segments ending at k
+        update.call(make_bruteforce.call(0, k), 1)
+        (1..k).each do |t|
+          bf = make_bruteforce.call(t, k)
+          m[t - 1].each do |l, prev_match|
+            update.call(bf, l + 1) unless prev_match.pattern == 'bruteforce'
+          end
         end
       end
 
-      match_sequence = pad_with_bruteforce_matches(match_sequence, password, bruteforce_cardinality)
-      score_for(password, match_sequence, up_to_k)
-    end
+      # find sequence length with minimum guesses at position n-1
+      optimal_l = g_log10[n - 1].min_by { |_, v| v }&.first
+      total_guesses = optimal_l ? g[n - 1][optimal_l] : 1
 
-    def score_for(password, match_sequence, up_to_k)
-      min_entropy = up_to_k[password.length - 1] || 0 # or 0 corner case is for an empty password ''
-      crack_time = entropy_to_crack_time(min_entropy)
+      # backtrack to reconstruct sequence
+      sequence = []
+      k = n - 1
+      l = optimal_l
+      while k >= 0
+        match = m[k][l]
+        match.token ||= password.slice(match.i, match.j - match.i + 1)
+        sequence.unshift(match.build)
+        k = match.i - 1
+        l -= 1
+      end
 
-      # final result object
-      Score.new(
-        password: password,
-        entropy: min_entropy.round(3),
-        match_sequence: match_sequence,
-        crack_time: crack_time.round(3),
-        crack_time_display: display_time(crack_time),
-        score: crack_time_to_score(crack_time)
-      )
+      build_score(password, sequence, total_guesses)
     end
 
-    def pad_with_bruteforce_matches(match_sequence, password, bruteforce_cardinality)
-      k = 0
-      match_sequence_copy = []
-      match_sequence.each do |match|
-        match_sequence_copy << make_bruteforce_match(password, k, match.i - 1, bruteforce_cardinality) if match.i > k
-        k = match.j + 1
-        match_sequence_copy << match
-      end
-      if k < password.length
-        match_sequence_copy << make_bruteforce_match(password, k, password.length - 1, bruteforce_cardinality)
+    # Compute guesses for a repeat match by recursively scoring the base token.
+    #
+    # @param match [MatchBuilder] a repeat match with base_token set
+    # @return [Numeric] base_guesses * repeat_count
+    def repeat_guesses(match)
+      if match.base_guesses.nil?
+        # The same base_token can appear in multiple distinct match objects when
+        # a repeated token occurs at several positions in the password. Cache by
+        # string so each unique base_token is scored at most once per scoring run.
+        match.base_guesses = @repeat_cache[match.base_token] ||= begin
+          base_matches = @omnimatch.matches(match.base_token, reference_year: @reference_year)
+          most_guessable_match_sequence(match.base_token, base_matches).guesses
+        end
       end
-      match_sequence_copy
+      match.base_guesses * match.repeat_count
     end
 
-    # fill in the blanks between pattern matches with bruteforce "matches"
-    # that way the match sequence fully covers the password:
-    # match1.j == match2.i - 1 for every adjacent match1, match2.
-    def make_bruteforce_match(password, i, j, bruteforce_cardinality)
-      Match.new(
-        pattern: 'bruteforce',
-        i: i,
-        j: j,
-        token: password.slice(i, j - i + 1),
-        entropy: lg(bruteforce_cardinality**(j - i + 1)),
-        cardinality: bruteforce_cardinality
+    private
+
+    # @param password [String]
+    # @param sequence [Array<Match>]
+    # @param guesses [Float]
+    # @return [Score]
+    def build_score(password, sequence, guesses)
+      attack_times = estimate_attack_times(guesses)
+      Score.new(
+        password:,
+        guesses:,
+        sequence: sequence.freeze,
+        crack_times_seconds: attack_times[:crack_times_seconds].freeze,
+        crack_times_display: attack_times[:crack_times_display].freeze,
+        score: guesses_to_score(guesses)
       )
     end
   end

data/lib/zxcvbn/tester.rb

@@ -1,43 +1,78 @@
 # frozen_string_literal: true
 
-require 'zxcvbn/data'
-require 'zxcvbn/password_strength'
+require 'zxcvbn/clock'
+require 'zxcvbn/feedback_giver'
+require 'zxcvbn/omnimatch'
+require 'zxcvbn/scorer'
 
 module Zxcvbn
-  # Allows you to test the strength of multiple passwords without reading and
-  # parsing the dictionary data from disk each test. Dictionary data is read
-  # once from disk and stored in memory for the life of the Tester object.
-  #
-  # Example:
-  #
-  #   tester = Zxcvbn::Tester.new
+  # Raised when a password exceeds the configured maximum length.
+  # Inherits from +ArgumentError+ for backward compatibility with existing
+  # +rescue ArgumentError+ clauses.
+  class PasswordTooLong < ArgumentError; end
+
+  # Evaluates password strength against dictionary lists, keyboard patterns,
+  # dates, sequences, and repeats. Construct via {Zxcvbn.tester_builder}:
   #
-  #   tester.add_word_lists("custom" => ["words"])
+  #   tester = Zxcvbn
+  #     .tester_builder
+  #     .add_word_list('company', %w[acme corp])
+  #     .build
   #
   #   tester.test("password 1")
   #   tester.test("password 2")
-  #   tester.test("password 3")
   class Tester
-    def initialize
-      @data = Data.new
+    # @param data [Data] pre-configured data
+    # @param max_password_length [Integer] passwords longer than this raise
+    #   {PasswordTooLong} from {#test}
+    # @raise [ArgumentError] if max_password_length is not a positive integer
+    def initialize(data:, max_password_length:)
+      unless max_password_length.is_a?(Integer) && max_password_length.positive?
+        raise ArgumentError,
+              "max_password_length must be a positive integer; got #{max_password_length.inspect}"
+      end
+
+      @data = data
+      @max_password_length = max_password_length
+      @omnimatch = Omnimatch.new(@data).freeze
     end
 
+    attr_reader :max_password_length
+
+    # Evaluates a password and returns a {Score}.
+    #
+    # Raises {PasswordTooLong} if the password exceeds the +max_password_length+
+    # passed to {#initialize}. The limit exists because scoring time grows
+    # super-quadratically on adversarial inputs such as short repeated sequences
+    # (e.g. <tt>"ab" * 500</tt>).
+    #
+    # @param password [String] the password to evaluate
+    # @param user_inputs [Array<String>] caller-supplied words to treat as known
+    # @return [Score]
+    # @raise [PasswordTooLong] if the password exceeds the maximum length
     def test(password, user_inputs = [])
-      PasswordStrength.new(@data).test(password, sanitize(user_inputs))
-    end
+      password ||= ''
+      user_inputs = Array(user_inputs).select { |i| i.is_a?(String) }
+      if password.length > @max_password_length
+        raise PasswordTooLong, "Password exceeds the maximum length of #{@max_password_length}."
+      end
 
-    def add_word_lists(lists)
-      lists.each_pair { |name, words| @data.add_word_list(name, sanitize(words)) }
+      result = nil
+      calc_time = Clock.realtime do
+        reference_year = Time.now.year
+        scorer = Scorer.new(@data, @omnimatch, reference_year)
+        matches = @omnimatch.matches(password, user_inputs, reference_year:)
+        result = scorer.most_guessable_match_sequence(password, matches)
+      end
+      result.with(
+        calc_time:,
+        feedback: FeedbackGiver.get_feedback(result.score, result.sequence)
+      )
     end
 
+    # @return [String] a concise representation that omits the large dictionary data
     def inspect
       "#<#{self.class}:0x#{__id__.to_s(16)}>"
     end
-
-    private
-
-    def sanitize(user_inputs)
-      user_inputs.select { |i| i.respond_to?(:downcase) }
-    end
   end
 end

data/lib/zxcvbn/tester_builder.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'zxcvbn/data'
+require 'zxcvbn/tester'
+
+module Zxcvbn
+  # Fluent builder for constructing a {Tester} with custom word lists and options.
+  #
+  # Obtain a builder via {Zxcvbn.tester_builder} and call {#build} to get the {Tester}.
+  #
+  # Example:
+  #
+  #   tester = Zxcvbn
+  #     .tester_builder
+  #     .add_word_list('company', %w[acme corp])
+  #     .max_password_length(75)
+  #     .build
+  class TesterBuilder
+    # Default maximum password length used when neither {#max_password_length} nor
+    # the +ZXCVBN_MAX_PASSWORD_LENGTH+ environment variable is set.
+    DEFAULT_MAX_PASSWORD_LENGTH = 256
+
+    def initialize
+      @word_lists = {}
+      @max_password_length = nil
+    end
+
+    # @param name [String] identifier for the word list; calling with the same name twice replaces the earlier list
+    # @param words [Array<String>, String] words to add; non-String elements are silently ignored during matching
+    # @return [self]
+    # @raise [ArgumentError] if name collides with a built-in dictionary name or +"user_inputs"+
+    def add_word_list(name, words)
+      if Data::RESERVED_NAMES.include?(name)
+        raise ArgumentError,
+              "#{name.inspect} is a reserved dictionary name; use a different name for custom word lists"
+      end
+
+      @word_lists[name] = Array(words)
+      self
+    end
+
+    # @param length [Integer] maximum password length for the built {Tester}
+    # @return [self]
+    # @raise [ArgumentError] if length is not a positive integer
+    def max_password_length(length)
+      unless length.is_a?(Integer) && length.positive?
+        raise ArgumentError, "max_password_length must be a positive integer; got #{length.inspect}"
+      end
+
+      @max_password_length = length
+      self
+    end
+
+    # @return [Tester]
+    # @raise [ArgumentError] if max_password_length or ZXCVBN_MAX_PASSWORD_LENGTH is not a positive integer
+    def build
+      data = Data.new
+      @word_lists.each_pair { |name, words| data.add_word_list(name, words) }
+      Tester.new(data: data.freeze, max_password_length: effective_max_password_length).freeze
+    end
+
+    private
+
+    def effective_max_password_length
+      return @max_password_length if @max_password_length
+
+      env_str = ENV['ZXCVBN_MAX_PASSWORD_LENGTH']
+      return DEFAULT_MAX_PASSWORD_LENGTH unless env_str
+
+      value = begin
+        Integer(env_str, 10)
+      rescue ArgumentError
+        raise ArgumentError, "ZXCVBN_MAX_PASSWORD_LENGTH must be a positive integer; got #{env_str.inspect}"
+      end
+
+      unless value.positive?
+        raise ArgumentError, "ZXCVBN_MAX_PASSWORD_LENGTH must be a positive integer; got #{env_str.inspect}"
+      end
+
+      value
+    end
+  end
+end

data/lib/zxcvbn/trie.rb

@@ -5,7 +5,17 @@ module Zxcvbn
   # Provides fast prefix-based lookups to eliminate unnecessary substring checks.
   #
   # @see https://en.wikipedia.org/wiki/Trie
+  # @api private
   class Trie
+    # Build a trie from a ranked dictionary hash.
+    # @param ranked_dictionary [Hash{String => Integer}] word → rank
+    # @return [Trie]
+    def self.from_ranked(ranked_dictionary)
+      trie = new
+      ranked_dictionary.each { |word, rank| trie.insert(word, rank) }
+      trie
+    end
+
     def initialize
       @root = {}
     end
@@ -40,5 +50,16 @@ module Zxcvbn
 
       results
     end
+
+    def inspect = "#<#{self.class}:0x#{__id__.to_s(16)}>"
+
+    def freeze
+      stack = [@root]
+      while (node = stack.pop)
+        node.each_value { |v| stack.push(v) if v.is_a?(Hash) }
+        node.freeze
+      end
+      super
+    end
   end
 end

data/lib/zxcvbn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zxcvbn
-  VERSION = '1.4.0'
+  VERSION = '2.0.0'
 end