NAME

Data::Password::zxcvbn::TimeEstimate - functions to estimate cracking times

VERSION

version 1.0.6

SYNOPSIS

use Data::Password::zxcvbn::TimeEstimate qw(estimate_attack_times);
my $estimates = estimate_attack_times($number_of_guesses);

DESCRIPTION

This module provides functions for back-of-the-envelope crack time estimations, in seconds, based on a few scenarios.

FUNCTIONS

estimate_attack_times

my $estimates = estimate_attack_times($number_of_guesses);

Returns a hashref with two keys:

  • crack_times_seconds

    hashref of back-of-the-envelope crack time estimations, in seconds, based on a few scenarios:

    • online_throttling_100_per_hour

      online attack on a service that rate-limits authentication attempts

    • online_no_throttling_10_per_second

      online attack on a service that doesn't rate-limit, or where an attacker has outsmarted rate-limiting.

    • offline_slow_hashing_1e4_per_second

      offline attack. assumes multiple attackers, proper user-unique salting, and a slow hash function with moderate work factor, such as bcrypt, scrypt, PBKDF2.

    • offline_fast_hashing_1e10_per_second

      offline attack with user-unique salting but a fast hash function like SHA-1, SHA-256 or MD5. A wide range of reasonable numbers anywhere from one billion - one trillion guesses per second, depending on number of cores and machines; ball-parking at 10B/sec.

  • crack_times_display

    same keys as crack_times_seconds, but more useful for display: the values are arrayrefs ["english string",$value] that can be passed to I18N libraries like Locale::Maketext to get localised versions with proper plurals

guesses_to_score

my $score = guesses_to_score($number_of_guesses);

Returns an integer from 0-4 (useful for implementing a strength bar):

  • 0

    too guessable: risky password. (guesses < 10e3)

  • 1

    very guessable: protection from throttled online attacks. (guesses < 10e6)

  • 2

    somewhat guessable: protection from un-throttled online attacks. (guesses < 10e8)

  • 3

    safely un-guessable: moderate protection from offline slow-hash scenario. (guesses < 10e10)

  • 4

    very un-guessable: strong protection from offline slow-hash scenario. (guesses >= 10e10)

display_time

my ($string,@values) = @{ display_time($time) };
print My::Localise->get_handle->maketext($string,@values);

Given a $time in seconds, returns an arrayref suitable for Locale::Maketext, like:

[ 'quant,_1,day', 23 ]

AUTHOR

Gianni Ceccarelli <gianni.ceccarelli@broadbean.com>

COPYRIGHT AND LICENSE

This software is copyright (c) 2022 by BroadBean UK, a CareerBuilder Company.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.