zxcvbn 0.1.2 → 0.1.7

data/lib/zxcvbn/scoring.rb

@@ -6,44 +6,40 @@ module Zxcvbn
     # this calculates the average over all keys.
     def self.calc_average_degree(graph)
       average = 0
-      graph.each do |key, neighbors|
-        average += neighbors.count {|n| n }.to_f
+      graph.each do |_key, neighbors|
+        average += neighbors.count { |n| n }.to_f
       end
       average /= graph.keys.size.to_f
-      return average
+      average
     end
 
     BRUTEFORCE_CARDINALITY = 10
 
-    MIN_GUESSES_BEFORE_GROWING_SEQUENCE = 10000
+    MIN_GUESSES_BEFORE_GROWING_SEQUENCE = 10_000
 
     MIN_SUBMATCH_GUESSES_SINGLE_CHAR = 10
 
     MIN_SUBMATCH_GUESSES_MULTI_CHAR = 50
 
-    def self.nCk(n, k)
+    def self.nck(n, k) # rubocop:disable Naming/MethodParameterName
       # http://blog.plover.com/math/choose.html
-      if k > n
-        return 0.0
-      end
-      if k == 0
-        return 1.0
-      end
+      return 0.0 if k > n
+      return 1.0 if k == 0
+
       r = 1.0
       (1..k).each do |d|
         r *= n
         r /= d
         n -= 1.0
       end
-      return r
+      r
     end
 
-    def self.factorial(n)
+    def self.factorial(n) # rubocop:disable Naming/MethodParameterName
       # unoptimized, called only on small n
-      if n < 2
-        return 1
-      end
-      return (2..n).reduce(&:*)
+      return 1 if n < 2
+
+      (2..n).reduce(&:*)
     end
 
     # ------------------------------------------------------------------------------
@@ -78,7 +74,7 @@ module Zxcvbn
     #    D^(l-1) approximates Sum(D^i for i in [1..l-1]
 
     # ------------------------------------------------------------------------------
-    def self.most_guessable_match_sequence(password, matches, _exclude_additive = false)
+    def self.most_guessable_match_sequence(password, matches, _exclude_additive: false)
       n = password.length
       # partition matches into sublists according to ending index j
       matches_by_j = (0...n).map { [] }
@@ -88,7 +84,7 @@ module Zxcvbn
 
       # small detail: for deterministic output, sort each sublist by i.
       matches_by_j.each do |lst|
-        lst.sort_by!{|m| m["i"] }
+        lst.sort_by! { |m| m["i"] }
       end
 
       optimal = {
@@ -101,12 +97,12 @@ module Zxcvbn
         # optimal.pi allows for fast (non-looping) updates to the minimization function.
         "pi" => (0...n).map { {} },
         # same structure as optimal.m -- holds the overall metric.
-        "g" => (0...n).map { {} },
+        "g" => (0...n).map { {} }
       }
 
       # helper: considers whether a length-l sequence ending at match m is better (fewer guesses)
       # than previously encountered sequences, updating state if so.
-      update = -> (m, l) do
+      update = lambda do |m, l|
         k = m["j"]
         pi = estimate_guesses(m, password)
         if l > 1
@@ -117,30 +113,28 @@ module Zxcvbn
         end
         # calculate the minimization func
         g = factorial(l) * pi
-        if !_exclude_additive
-          g += MIN_GUESSES_BEFORE_GROWING_SEQUENCE ** (l - 1)
-        end
+        g += MIN_GUESSES_BEFORE_GROWING_SEQUENCE**(l - 1) if !_exclude_additive
         # update state if new best.
         # first see if any competing sequences covering this prefix, with l or fewer matches,
         # fare better than this sequence. if so, skip it and return.
-        optimal["g"][k].each do |competing_l, competing_g|
-          if competing_l > l
-            next
-          end
-          if competing_g <= g
-            return
-          end
+        optimal["g"][k].find do |competing_l, competing_g|
+          next if competing_l > l
+          return nil if competing_g <= g
         end
         # this sequence might be part of the final optimal sequence.
         optimal["g"][k][l] = g
         optimal["m"][k][l] = m
         optimal["pi"][k][l] = pi
+
+        optimal["g"][k] = optimal["g"][k].sort.to_h
+        optimal["m"][k] = optimal["m"][k].sort.to_h
+        optimal["pi"][k] = optimal["pi"][k].sort.to_h
       end
 
       # helper: make bruteforce match objects spanning i to j, inclusive.
-      make_bruteforce_match = -> (i, j) do
+      make_bruteforce_match = lambda do |i, j|
         return {
-          "pattern" => 'bruteforce',
+          "pattern" => "bruteforce",
           "token" => password[i..j],
           "i" => i,
           "j" => j
@@ -148,7 +142,7 @@ module Zxcvbn
       end
 
       # helper: evaluate bruteforce matches ending at k.
-      bruteforce_update = -> (k) do
+      bruteforce_update = lambda do |k|
         # see if a single bruteforce match spanning the k-prefix is optimal.
         m = make_bruteforce_match.call(0, k)
         update.call(m, 1)
@@ -156,16 +150,14 @@ module Zxcvbn
           # generate k bruteforce matches, spanning from (i=1, j=k) up to (i=k, j=k).
           # see if adding these new matches to any of the sequences in optimal[i-1]
           # leads to new bests.
-          m = make_bruteforce_match.call(i, k);
-          optimal["m"][i-1].each do |l, last_m|
-            l = l.to_i
+          m = make_bruteforce_match.call(i, k)
+          optimal["m"][i - 1].each do |l, last_m|
             # corner: an optimal sequence will never have two adjacent bruteforce matches.
             # it is strictly better to have a single bruteforce match spanning the same region:
             # same contribution to the guess product with a lower length.
             # --> safe to skip those cases.
-            if last_m["pattern"] == 'bruteforce'
-              next
-            end
+            next if last_m["pattern"] == "bruteforce"
+
             # try adding m to this length-l sequence.
             update.call(m, l + 1)
           end
@@ -174,11 +166,11 @@ module Zxcvbn
 
       # helper: step backwards through optimal.m starting at the end,
       # constructing the final optimal match sequence.
-      unwind = -> (n) do
+      unwind = lambda do |n2|
         optimal_match_sequence = []
-        k = n - 1
+        k = n2 - 1
         # find the final best sequence length and score
-        l, g = (optimal["g"][k] || []).min_by{|candidate_l, candidate_g| candidate_g || 0 }
+        l, _g = (optimal["g"][k] || []).min_by { |_candidate_l, candidate_g| candidate_g || 0 }
         while k >= 0
           m = optimal["m"][k][l]
           optimal_match_sequence.unshift(m)
@@ -191,7 +183,7 @@ module Zxcvbn
       (0...n).each do |k|
         matches_by_j[k].each do |m|
           if m["i"] > 0
-            optimal["m"][m["i"] - 1].keys.each do |l|
+            optimal["m"][m["i"] - 1].each_key do |l|
               update.call(m, l + 1)
             end
           else
@@ -205,14 +197,14 @@ module Zxcvbn
       optimal_l = optimal_match_sequence.length
 
       # corner: empty password
-      if password.length == 0
-        guesses = 1
+      guesses = if password.empty?
+        1
       else
-        guesses = optimal["g"][n - 1][optimal_l]
+        optimal["g"][n - 1][optimal_l]
       end
 
       # final result object
-      return {
+      {
         "password" => password,
         "guesses" => guesses,
         "guesses_log10" => Math.log10(guesses),
@@ -227,6 +219,7 @@ module Zxcvbn
       if match["guesses"]
         return match["guesses"] # a match's guess estimate doesn't change. cache it.
       end
+
       min_guesses = 1
       if match["token"].length < password.length
         min_guesses = if match["token"].length == 1
@@ -242,22 +235,20 @@ module Zxcvbn
         "repeat" => method(:repeat_guesses),
         "sequence" => method(:sequence_guesses),
         "regex" => method(:regex_guesses),
-        "date" => method(:date_guesses),
+        "date" => method(:date_guesses)
       }
       guesses = estimation_functions[match["pattern"]].call(match)
       match["guesses"] = [guesses, min_guesses].max
       match["guesses_log10"] = Math.log10(match["guesses"])
-      return match["guesses"]
+      match["guesses"]
     end
 
-    MAX_VALUE = 2 ** 1024
+    MAX_VALUE = 2**1024
 
     def self.bruteforce_guesses(match)
-      guesses = BRUTEFORCE_CARDINALITY ** match["token"].length
+      guesses = BRUTEFORCE_CARDINALITY**match["token"].length
       # trying to match JS behaviour here setting a MAX_VALUE to try to acheieve same values as JS library.
-      if guesses > MAX_VALUE
-        guesses = MAX_VALUE
-      end
+      guesses = MAX_VALUE if guesses > MAX_VALUE
 
       # small detail: make bruteforce matches at minimum one guess bigger than smallest allowed
       # submatch guesses, such that non-bruteforce submatches over the same [i..j] take precedence.
@@ -271,29 +262,27 @@ module Zxcvbn
     end
 
     def self.repeat_guesses(match)
-      return match["base_guesses"] * match["repeat_count"]
+      match["base_guesses"] * match["repeat_count"]
     end
 
     def self.sequence_guesses(match)
       first_chr = match["token"][0]
       # lower guesses for obvious starting points
-      if ['a', 'A', 'z', 'Z', '0', '1', '9'].include?(first_chr)
-        base_guesses = 4
+      base_guesses = if ["a", "A", "z", "Z", "0", "1", "9"].include?(first_chr)
+        4
+      elsif first_chr.match?(/\d/)
+        10
       else
-        if first_chr.match?(/\d/)
-          base_guesses = 10 # digits
-        else
-          # could give a higher base for uppercase,
-          # assigning 26 to both upper and lower sequences is more conservative.
-          base_guesses = 26
-        end
+        # could give a higher base for uppercase,
+        # assigning 26 to both upper and lower sequences is more conservative.
+        26
       end
       if !match["ascending"]
         # need to try a descending sequence in addition to every ascending sequence ->
         # 2x guesses
         base_guesses *= 2
       end
-      return base_guesses * match["token"].length
+      base_guesses * match["token"].length
     end
 
     MIN_YEAR_SPACE = 20
@@ -308,14 +297,14 @@ module Zxcvbn
         "digits" => 10,
         "symbols" => 33
       }
-      if char_class_bases.has_key? match["regex_name"]
-        return char_class_bases[match["regex_name"]] ** match["token"].length
-      elsif match["regex_name"] == 'recent_year'
+      if char_class_bases.key? match["regex_name"]
+        char_class_bases[match["regex_name"]]**match["token"].length
+      elsif match["regex_name"] == "recent_year"
         # conservative estimate of year space: num years from REFERENCE_YEAR.
         # if year is close to REFERENCE_YEAR, estimate a year space of MIN_YEAR_SPACE.
         year_space = (match["regex_match"][0].to_i - REFERENCE_YEAR).abs
-        year_space = [year_space, MIN_YEAR_SPACE].max
-        return year_space
+        [year_space, MIN_YEAR_SPACE].max
+
       end
     end
 
@@ -328,23 +317,23 @@ module Zxcvbn
         # add factor of 4 for separator selection (one of ~4 choices)
         guesses *= 4
       end
-      return guesses
+      guesses
     end
 
-    KEYBOARD_AVERAGE_DEGREE = calc_average_degree(ADJACENCY_GRAPHS["qwerty"])
+    KEYBOARD_AVERAGE_DEGREE = calc_average_degree(ADJACENCY_GRAPHS["qwerty"]).freeze
     # slightly different for keypad/mac keypad, but close enough
-    KEYPAD_AVERAGE_DEGREE = calc_average_degree(ADJACENCY_GRAPHS["keypad"])
+    KEYPAD_AVERAGE_DEGREE = calc_average_degree(ADJACENCY_GRAPHS["keypad"]).freeze
 
     KEYBOARD_STARTING_POSITIONS = ADJACENCY_GRAPHS["qwerty"].keys.size
     KEYPAD_STARTING_POSITIONS = ADJACENCY_GRAPHS["keypad"].keys.size
 
     def self.spatial_guesses(match)
-      if ['qwerty', 'dvorak'].include?(match["graph"])
-        s = KEYBOARD_STARTING_POSITIONS;
-        d = KEYBOARD_AVERAGE_DEGREE;
+      if ["qwerty", "dvorak"].include?(match["graph"])
+        s = KEYBOARD_STARTING_POSITIONS
+        d = KEYBOARD_AVERAGE_DEGREE
       else
-        s = KEYPAD_STARTING_POSITIONS;
-        d = KEYPAD_AVERAGE_DEGREE;
+        s = KEYPAD_STARTING_POSITIONS
+        d = KEYPAD_AVERAGE_DEGREE
       end
       guesses = 0.0
       ll = match["token"].length
@@ -353,7 +342,7 @@ module Zxcvbn
       (2..ll).each do |i|
         possible_turns = [t, i - 1].min
         (1..possible_turns).each do |j|
-          guesses += nCk((i - 1).to_f, (j - 1).to_f) * s.to_f * (d.to_f ** j.to_f)
+          guesses += nck((i - 1).to_f, (j - 1).to_f) * s.to_f * (d.to_f**j.to_f)
         end
       end
       # add extra guesses for shifted keys. (% instead of 5, A instead of a.)
@@ -366,12 +355,12 @@ module Zxcvbn
         else
           shifted_variations = 0
           (1..[ss, uu].min).each do |i|
-            shifted_variations += nCk((ss + uu).to_f, i.to_f)
+            shifted_variations += nck((ss + uu).to_f, i.to_f)
           end
           guesses *= shifted_variations
         end
       end
-      return guesses
+      guesses
     end
 
     def self.dictionary_guesses(match)
@@ -379,49 +368,45 @@ module Zxcvbn
       match["uppercase_variations"] = uppercase_variations(match)
       match["l33t_variations"] = l33t_variations(match)
       reversed_variations = match["reversed"] && 2 || 1
-      return match["base_guesses"] * match["uppercase_variations"] * match["l33t_variations"] * reversed_variations
+      match["base_guesses"] * match["uppercase_variations"] * match["l33t_variations"] * reversed_variations
     end
 
-    START_UPPER = /^[A-Z][^A-Z]+$/
-    END_UPPER = /^[^A-Z]+[A-Z]$/
-    ALL_UPPER = /^[^a-z]+$/
-    ALL_LOWER = /^[^A-Z]+$/
+    START_UPPER = /^[A-Z][^A-Z]+$/.freeze
+    END_UPPER = /^[^A-Z]+[A-Z]$/.freeze
+    ALL_UPPER = /^[^a-z]+$/.freeze
+    ALL_LOWER = /^[^A-Z]+$/.freeze
 
     def self.uppercase_variations(match)
       word = match["token"]
-      if word.match?(ALL_LOWER) || word.downcase === word
-        return 1
-      end
+      return 1 if word.match?(ALL_LOWER) || word.downcase == word
+
       # a capitalized word is the most common capitalization scheme,
       # so it only doubles the search space (uncapitalized + capitalized).
       # allcaps and end-capitalized are common enough too, underestimate as 2x factor to be safe.
       [START_UPPER, END_UPPER, ALL_UPPER].each do |regex|
-        if word.match?(regex)
-          return 2
-        end
+        return 2 if word.match?(regex)
       end
       # otherwise calculate the number of ways to capitalize U+L uppercase+lowercase letters
       # with U uppercase letters or less. or, if there's more uppercase than lower (for eg. PASSwORD),
       # the number of ways to lowercase U+L letters with L lowercase letters or less.
-      uu = word.split("").count{|chr| chr.match?(/[A-Z]/)}
-      ll = word.split("").count{|chr| chr.match?(/[a-z]/)}
-      variations = 0;
+      uu = word.chars.count { |chr| chr.match?(/[A-Z]/) }
+      ll = word.chars.count { |chr| chr.match?(/[a-z]/) }
+      variations = 0
       (1..[uu, ll].min).each do |i|
-        variations += nCk(uu + ll, i)
+        variations += nck(uu + ll, i)
       end
-      return variations
+      variations
     end
 
     def self.l33t_variations(match)
-      if !match["l33t"]
-        return 1
-      end
+      return 1 if !match["l33t"]
+
       variations = 1
       match["sub"].each do |subbed, unsubbed|
         # lower-case match.token before calculating: capitalization shouldn't affect l33t calc.
-        chrs = match["token"].downcase.split('')
-        ss = chrs.count{|chr| chr == subbed }
-        uu = chrs.count{|chr| chr == unsubbed }
+        chrs = match["token"].downcase.chars
+        ss = chrs.count { |chr| chr == subbed }
+        uu = chrs.count { |chr| chr == unsubbed }
         if ss == 0 || uu == 0
           # for this sub, password is either fully subbed (444) or fully unsubbed (aaa)
           # treat that as doubling the space (attacker needs to try fully subbed chars in addition to
@@ -433,12 +418,12 @@ module Zxcvbn
           p = [uu, ss].min
           possibilities = 0
           (1..p).each do |i|
-            possibilities += nCk(uu + ss, i)
+            possibilities += nck(uu + ss, i)
           end
           variations *= possibilities
         end
       end
-      return variations
+      variations
     end
   end
 end

data/lib/zxcvbn/time_estimates.rb

@@ -9,36 +9,36 @@ module Zxcvbn
         "offline_slow_hashing_1e4_per_second" => guesses / 1e4,
         "offline_fast_hashing_1e10_per_second" => guesses / 1e10
       }
-      crack_times_display = {};
+      crack_times_display = {}
       crack_times_seconds.each do |scenario, seconds|
         crack_times_display[scenario] = display_time(seconds)
       end
 
-      return {
+      {
         "crack_times_seconds" => crack_times_seconds,
         "crack_times_display" => crack_times_display,
-        "score" => guesses_to_score(guesses),
+        "score" => guesses_to_score(guesses)
       }
     end
 
     def self.guesses_to_score(guesses)
-      delta = 5;
+      delta = 5
       if guesses < 1e3 + delta
         # risky password: "too guessable"
-        return 0
+        0
       elsif guesses < 1e6 + delta
         # modest protection from throttled online attacks: "very guessable"
-        return 1
+        1
       elsif guesses < 1e8 + delta
         # modest protection from unthrottled online attacks: "somewhat guessable"
-        return 2
+        2
       elsif guesses < 1e10 + delta
         # modest protection from offline attacks: "safely unguessable"
         # assuming a salted, slow hash function like bcrypt, scrypt, PBKDF2, argon, etc
-        return 3
+        3
       else
         # strong protection from offline attacks under same scenario: "very unguessable"
-        return 4
+        4
       end
     end
 
@@ -50,7 +50,7 @@ module Zxcvbn
       year = month * 12
       century = year * 100
       display_num, display_str = if seconds < 1
-        [nil, 'less than a second']
+        [nil, "less than a second"]
       elsif seconds < minute
         base = seconds.round
         [base, "#{base} second"]
@@ -70,11 +70,9 @@ module Zxcvbn
         base = (seconds / year).round
         [base, "#{base} year"]
       else
-        [nil, 'centuries']
-      end
-      if display_num && display_num != 1
-        display_str += 's'
+        [nil, "centuries"]
       end
+      display_str += "s" if display_num && display_num != 1
       display_str
     end
   end