ravisorg / mellt Goto Github PK

Try and detect when the user is basing their password off a word (or multiple words) and then calculate brute force time based on that knowledge. Include common things like l33t spelling replacements, mixed case, etc.

Having a bower install for the client, is the only thing this API is lacking. It would be great if it was added. Thanks for the great library!

And when detected, calculate brute force time with that knowledge (or just mark it as zero cost, assuming the date is somehow relevant to the user and that the attacker knows some info about the user).

For example for password 'Af2Baxb8Duo' I have got 50 days to crack from node.js version, and many years from PHP and JS version.

Hi,

I might be mistaking but while I was checking the Node.js implementation of the CheckPassword method, I noticed the following code :

exports.CheckPassword = function(password) {
    //make sure it is lower case, this function can be called by itself
    password = password.toLowerCase();
    var common = CheckCommon(password)
    return common === true ? -1 : BruteForce(password);
}

The method lower-case the password to check it against the dictionary which makes sense. However, we try to brute force the lower-cased password and not the original one. Shouldn't we do this instead ?

exports.CheckPassword = function(password) {
    //make sure it is lower case, this function can be called by itself
    var common = CheckCommon(password.toLowerCase());
    return common === true ? -1 : BruteForce(password);
}

Same goes for the BruteForce method. Why is Mellt testing a lower-cased version of the password ?

Unfortunately raw.github.com is sending the mime type text/plain so people don't use it to host files, but you can use rawgithub.com instead.

I tried several test cases with upper lower and special characters, even banging on the keyboard, and every single response is -1, and I'm pretty sure the password test i am submitting are not in the common-passwords.txt.