Merge branch 'musicsnobj-feature/l33t-exploit'

Daniel Wolf · Daniel Wolf · commit 2b3e11f868d1 · 2025-02-19T12:09:43.000-06:00
* musicsnobj-feature/l33t-exploit:
  use optional third arg instead of env variable for max password length
  fuzzy match all py test versions
  update README w/ tested py versions, try 3.8.* as test version
  remove python 2 condition from mypy job
  add py versions 3.12 and 3.13
  add py versions 3.9, 3.10, 3.11
  trying another tox config
  tweak tox config
  rm reference to requirements.txt
  let tox control pytest version
  try python version 3.8.18 by itself
  update build.yml with python versions supported by Ubuntu 24.04
  try dropping python versions older than 3.6
  try v5 of setup-python gha
  add tox.ini, add python versions to test
  add max password length, default 72, configurable via ZXCVBN_MAX_LENGTH env var
diff --git a/README.rst b/README.rst
@@ -103,6 +103,18 @@ Output:
         }],
     }
 
+Another optional argument is ``max_length``, allowing override of the default max password length of 72.
+.. code:: python
+
+    from zxcvbn import zxcvbn
+
+    results = zxcvbn('JohnSmith321', user_inputs=['John', 'Smith'], max_length=88)
+
+.. warning::
+
+   We strongly advise against setting ``max_length`` greater than 72,
+   as it can lead to long processing times and may leave server-side applications open
+   to denial-of-service scenarios.
 
 Custom Ranked Dictionaries
 --------------------------
@@ -121,18 +133,21 @@ In order to support more languages or just add password dictionaries of your own
 These lists will be added to the current ones, but you can also overwrite the current ones if you wish.
 The lists you add should be in order of how common the word is used with the most common words appearing first.
 
+
 CLI
 ~~~
 
 You an also use zxcvbn from the command line::
 
     echo 'password' | zxcvbn --user-input <user-input> | jq
 
+You can include a ``--max-length`` argument::
+    echo '<long password>' | zxcvbn --max-length 142
+
 You can also execute the zxcvbn module::
 
     echo 'password' | python -m zxcvbn --user-input <user-input> | jq
 
-
 Contribute
 ----------
 
diff --git a/tests/l33t_exploit_test.py b/tests/l33t_exploit_test.py
@@ -0,0 +1,12 @@
+import pytest
+from zxcvbn import zxcvbn
+
+# Test ACsploit-generated password targeting zxcvbn's l33t matching algorithm
+# (see https://github.com/GoSimpleLLC/nbvcxz/issues/60)
+def test_l33t_exploit():
+
+    password = "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/"
+
+    # Function should raise ValueError for input exceeding default max_length of 72 chars
+    with pytest.raises(ValueError, match="Password exceeds max length of 72 characters"):
+        zxcvbn(password, user_inputs=[None])
diff --git a/tests/zxcvbn_test.py b/tests/zxcvbn_test.py
@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+import pytest
 from zxcvbn import zxcvbn
 
 
@@ -23,7 +24,7 @@ def test_long_password():
     input_ = None
     password = "weopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioej"
 
-    zxcvbn(password, user_inputs=[input_])
+    zxcvbn(password, user_inputs=[input_], max_length=316)
 
 
 def test_dictionary_password():
diff --git a/zxcvbn/__init__.py b/zxcvbn/__init__.py
@@ -1,8 +1,14 @@
+import os
 from datetime import datetime
 
 from . import matching, scoring, time_estimates, feedback
 
-def zxcvbn(password, user_inputs=None):
+
+def zxcvbn(password, user_inputs=None, max_length=72):
+    # Throw error if password exceeds max length
+    if len(password) > max_length:
+        raise ValueError(f"Password exceeds max length of {max_length} characters.")
+
     try:
         # Python 2 string types
         basestring = (str, unicode)
diff --git a/zxcvbn/__main__.py b/zxcvbn/__main__.py
@@ -16,6 +16,12 @@
     help='user data to be added to the dictionaries that are tested against '
          '(name, birthdate, etc)',
 )
+parser.add_argument(
+    '--max-length',
+    default=72,
+    type=int,
+    help='Override password max length (default: 72)'
+)
 
 class JSONEncoder(json.JSONEncoder):
     def default(self, o):
@@ -36,7 +42,7 @@ def cli():
     else:
         password = getpass.getpass()
 
-    res = zxcvbn(password, user_inputs=args.user_input)
+    res = zxcvbn(password, user_inputs=args.user_input, max_length=args.max_length)
     json.dump(res, sys.stdout, indent=2, cls=JSONEncoder)
     sys.stdout.write('\n')
 
