[Issue]: Blanket cardinality on brute force

[qawseuk]

Description

First thanks for releasing, trying to educate a business on password practices and this has been fairly reliable in helping go beyond just calculating strength on a pool ^ length basis.

My only issue, and probably one with the underlying library is the default of brute force cardinality being set to 10, when it can be up to 70/90 for completely randomly generated password depending on the special character set. So the password G$y!7u0L = GyuLSgdn = gyulsgdn, despite the pool size being 70 / 52 / 26 (actual entropy of 49.03 / 45.6 / 37.6 Vs library 26.58).

If there is anyway for some settings to toggle the brute force cardinality assumption off or even adjust the variable that would be really helpful. Possibly alongside any settings to tweak the guesses per second as 10 billion Vs 10,000 is a big jump (or aligning them to more real world scenarios like removing the 100 per hour and adding in a ~ 1 million per second for 2x GPUs).

Thanks

Steps to reproduce the issue

1. Any brute force calculation defaults to 10 ^ length

Error messages/logs

No response

Additional context

No response

Terms

• This issue occurs on the latest version.
• This is not a duplicate of another issue.

[StellarSand]

First thanks for releasing, trying to educate a business on password practices and this has been fairly reliable in helping go beyond just calculating strength on a pool ^ length basis.

I’m really glad to hear that the app has been useful in helping with educating businesses on better password practices.

My only issue, and probably one with the underlying library is the default of brute force cardinality being set to 10, when it can be up to 70/90 for completely randomly generated password depending on the special character set. So the password G$y!7u0L = GyuLSgdn = gyulsgdn, despite the pool size being 70 / 52 / 26 (actual entropy of 49.03 / 45.6 / 37.6 Vs library 26.58).

I appreciate you highlighting that discrepancy. I have been calculating entropy using log2(number of guesses) as zxcvbn4j (the library used in this app) doesn't provide a way to get the entropy value from the results. I realize I should be considering different pool sizes and password length to get a more accurate entropy value. I’ll work on adjusting the entropy calculation. As for exactly why the bruteforce cardinality is set to 10 in the library, you'd have to ask the devs of the library.

Possibly alongside any settings to tweak the guesses per second as 10 billion Vs 10,000 is a big jump ... adding in a ~ 1 million per second for 2x GPUs

I haven’t looked too much into modifying the core library classes or implementing a custom class yet, but I'll see if that's possible.

aligning them to more real world scenarios like removing the 100 per hour

10 guesses per second & 100 guesses per hour are primarily intended to represent online cracking scenarios, where constraints like CAPTCHAs, rate limiting, & network speeds significantly slow down the process compared to offline cracking.