The password entropy can be higher when the extra_dictionary_words option is used

[adam-burney]

I parsed a dictionary with words in french and english sorted in alphabetical order and I performed tests with a few passwords equal to dictionary words. I also tested without the dictionary to have reference entropy values and compare. For many words, the password entropy is higher when it is found in the extra dictionary words.

I installed strong_password version 0.0.10 (latest).

class CheckPasswordComplexityService
  STRONG_PASSWORD_ENTROPY = 20

  attr_writer :password

  def initialize(password = "", options = {})
    @password = password
    @add_extra_dictionary_words = (options[:add_extra_dictionary_words] == false) ? false : true
  end

  def self.strong_password_entropy
    STRONG_PASSWORD_ENTROPY
  end

  def calculate_entropy
    strength_checker.calculate_entropy(@password)
  end

  private

  def strength_checker
    return @strength_checker if @strength_checker

    config = { use_dictionary: true, min_word_length: 3 }
    config[:extra_dictionary_words] = dictionary_words if @add_extra_dictionary_words == true
    @strength_checker = StrongPassword::StrengthChecker.new(config)
  end

  def dictionary_words
     CSV.read("passwords/combined_dictionaries.csv").map { |line| line[0].chop }
  end
end

If I inspect my dictionary, I have:

first words: ["a capell", "a cappell", "a contrari", "a fortior", "a giorn", "a jeu", "a l'insta", "a posterior", "a prior", "aa", "aa", "aahe", "aahin", "aah", "aa", "aali", "aalii", "aal", "aa", "aan"]

last words: ["zélée", "zélé", "zénan", "zénit", "zénithal", "zénithale", "zéphir", "zéphy", "zéphyr", "zér", "zéro", "zézai", "zézaiemen", "zézaien", "zézayaien", "zézayan", "zézay", "zézaye", "zézett", "zézette"]

The dictionary has 475063 entries and there is no other data in combined_dictionaries.csv, just the words and line returns, which I removed with chop.