v4.4.2

• minor bug fixes

v4.4.1

• Fixed a search bug where certain optimal bruteforce matches were being ignored. This fix has a minor impact on performance, but only added 1 millisecond or less to all percentiles in my benchmark.

4.4.0

• Fixed a bug in the search algorithm. Discussion here.
• Minor bug fixes.

4.3.0

• shorter and clearer search code with a better runtime bound.
• new sequence matching that better generalizes to other unicode alphabets.
• a few tweaks and bugfixes.

4.2.0

Overhauled dictionary processing pipeline (scripts in data-scripts).

• zxcvbn now counts 30k top passwords from Xato.net's 10M password corpus instead of an earlier list of 10k passwords.
• zxcvbn now counts top words from offline wikipedia dumps. Instead of 55k words from the wiktionary tv and movie study, zxcvbn now includes top 30k tokens from the study, and top 30k tokens from en wikipedia.
• Data processing scripts are easier to use and better documented. It's now easy to, for example, add dictionaries obtained from wikipedia dumps in other locales.

4.1.0

zxcvbn now includes targeted verbal feedback in addition to score and guess numbers. verbal feedback is included when score is <=2, and potentially contains a warning and a list of suggestions.

Warnings include messages like "this is a top-10 common password", "dates are easy to guess", "rows of keys are easy to guess".

Suggestions include messages like "add another word or two", "avoid dates that are associated with you", "common substitutions like @ for a don't help very much", etc.

4.0.1

zxcvbn's search algorithm now penalizes pattern sequence length. The old model optimized:

Product(match.guesses for match in sequence)

The new model optimizes a function that includes both a multiplicative and additive penalty:

factorial(length) * product + D^(length - 1)

See comments in scoring.coffee for intuition around the new model.

Backwards-incompatible changes:

• Most property names changed in the zxcvbn() return object. Removed all mention of entropy in place of more intuitive guesses and guesses_log10. (entropy in older versions was just log2 of guesses -- a sloppy use of the term.)
• Removed crack_time property, added instead a dictionary of crack time estimates under different scenarios -- online throttled/unthrottled, and offline with slow/fast hashing.
• score is still on a 0-5 scale, but with adjusted thresholds to reflect resistance to some of those attack scenarios.

3.5.0

• new implementation of repeat_match, supports multi-character repeat sequences.
• reversed-word dictionary matches.
• cross-browser testing with travis-ci, saucelabs and zuul.

3.4.0

Complete unit tests at roughly 97% code coverage + minor bugfixes.

3.3.0

• Rewritten date_matcher that is simpler and more aggressive.
• New matcher: regex_matcher. Includes year and contiguous digit matching, plus a few new patterns: contiguous symbols, uppers, lowers, alpha, alphanum.
• unit tests for matching.
• partial unit tests for scoring.