Fix inconsistent scoring in bruteforce scoring mechanism

Our implementation of saturating exponentiation was incorrect
Closes #15

CHANGELOG.md

@@ -1,5 +1,6 @@
 **Version 0.6.3 (unreleased)**
  - Refactor handling of strings to use streaming of characters. This brings zxcvbn closer to working on UTF-8 inputs.
+ - Fix an issue that would cause bruteforce scores to be too low (https://github.com/shssoichiro/zxcvbn-rs/issues/15)
 
 **Version 0.6.2**
  - Upgrade dependencies and fix linter warnings

src/lib.rs

@@ -149,6 +149,7 @@ mod tests {
     fn test_zxcvbn() {
         let password = "r0sebudmaelstrom11/20/91aaaa";
         let entropy = zxcvbn(password, &[]).unwrap();
+        assert_eq!(entropy.guesses, 473_471_216_704_000);
         assert_eq!(entropy.guesses_log10, 14);
         assert_eq!(entropy.score, 4);
         assert!(!entropy.sequence.is_empty());
@@ -161,4 +162,22 @@ mod tests {
         let entropy = zxcvbn(password, &[]).unwrap();
         assert_eq!(entropy.score, 4);
     }
+
+    #[test]
+    fn test_issue_15_example_1() {
+        let password = "TestMeNow!";
+        let entropy = zxcvbn(password, &[]).unwrap();
+        assert_eq!(entropy.guesses, 372_010_000);
+        assert_eq!(entropy.guesses_log10, 8);
+        assert_eq!(entropy.score, 3);
+    }
+
+    #[test]
+    fn test_issue_15_example_2() {
+        let password = "hey<123";
+        let entropy = zxcvbn(password, &[]).unwrap();
+        assert_eq!(entropy.guesses, 1_010_000);
+        assert_eq!(entropy.guesses_log10, 6);
+        assert_eq!(entropy.score, 2);
+    }
 }

src/scoring.rs

@@ -251,7 +251,7 @@ impl Estimator for BruteForceEstimator {
         let mut guesses = BRUTEFORCE_CARDINALITY;
         let token_len = m.token.chars().count();
         if token_len >= 2 {
-            for _ in 2..token_len {
+            for _ in 2..(token_len + 1) {
                 guesses = guesses.saturating_mul(BRUTEFORCE_CARDINALITY);
             }
         }