use optional third arg instead of env variable for max password length

musicsnobj · musicsnobj · commit 1ed43f525e6c · 2025-02-18T12:03:54.000-06:00
diff --git a/README.rst b/README.rst
@@ -103,19 +103,19 @@ Output:
         }],
     }
 
-To override the default maximum password length of 72 characters, set the
-``ZXCVBN_MAX_LENGTH`` environment variable:
+Another optional argument is ``max_length``, allowing override of the default max password length of 72.
+.. code:: python
 
-.. code-block:: bash
+    from zxcvbn import zxcvbn
 
-   export ZXCVBN_MAX_LENGTH=128
+    results = zxcvbn('JohnSmith321', user_inputs=['John', 'Smith'], max_length=88)
 
 .. warning::
-   We strongly advise against setting ``ZXCVBN_MAX_LENGTH`` to a value greater than 72,
+
+   We strongly advise against setting ``max_length`` greater than 72,
    as it can lead to long processing times and may leave server-side applications open
    to denial-of-service scenarios.
 
-
 Custom Ranked Dictionaries
 --------------------------
 
@@ -141,11 +141,13 @@ You an also use zxcvbn from the command line::
 
     echo 'password' | zxcvbn --user-input <user-input> | jq
 
+You can include a ``--max-length`` argument::
+    echo '<long password>' | zxcvbn --max-length 142
+
 You can also execute the zxcvbn module::
 
     echo 'password' | python -m zxcvbn --user-input <user-input> | jq
 
-
 Contribute
 ----------
 
diff --git a/tests/l33t_exploit_test.py b/tests/l33t_exploit_test.py
@@ -7,6 +7,6 @@ def test_l33t_exploit():
 
     password = "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/"
 
-    # Function should raise ValueError for input exceeding default MAX_LENGTH of 72 chars
-    with pytest.raises(ValueError, match="Password length exceeds 72 characters"):
+    # Function should raise ValueError for input exceeding default max_length of 72 chars
+    with pytest.raises(ValueError, match="Password exceeds max length of 72 characters"):
         zxcvbn(password, user_inputs=[None])
diff --git a/tests/zxcvbn_test.py b/tests/zxcvbn_test.py
@@ -24,9 +24,7 @@ def test_long_password():
     input_ = None
     password = "weopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioejiojweopiopdsjmkldjvoisdjfioej"
 
-    # Function should raise ValueError for input exceeding default MAX_LENGTH of 72 chars
-    with pytest.raises(ValueError, match="Password length exceeds 72 characters"):
-        zxcvbn(password, user_inputs=[input_])
+    zxcvbn(password, user_inputs=[input_], max_length=316)
 
 
 def test_dictionary_password():
diff --git a/zxcvbn/__init__.py b/zxcvbn/__init__.py
@@ -3,13 +3,11 @@
 
 from . import matching, scoring, time_estimates, feedback
 
-DEFAULT_MAX_LENGTH = 72
-MAX_LENGTH = int(os.environ.get('ZXCVBN_MAX_LENGTH', DEFAULT_MAX_LENGTH))
 
-def zxcvbn(password, user_inputs=None):
+def zxcvbn(password, user_inputs=None, max_length=72):
     # Throw error if password exceeds max length
-    if len(password) > MAX_LENGTH:
-        raise ValueError(f"Password length exceeds {MAX_LENGTH} characters.")
+    if len(password) > max_length:
+        raise ValueError(f"Password exceeds max length of {max_length} characters.")
 
     try:
         # Python 2 string types
diff --git a/zxcvbn/__main__.py b/zxcvbn/__main__.py
@@ -16,6 +16,12 @@
     help='user data to be added to the dictionaries that are tested against '
          '(name, birthdate, etc)',
 )
+parser.add_argument(
+    '--max-length',
+    default=72,
+    type=int,
+    help='Override password max length (default: 72)'
+)
 
 class JSONEncoder(json.JSONEncoder):
     def default(self, o):
@@ -36,7 +42,7 @@ def cli():
     else:
         password = getpass.getpass()
 
-    res = zxcvbn(password, user_inputs=args.user_input)
+    res = zxcvbn(password, user_inputs=args.user_input, max_length=args.max_length)
     json.dump(res, sys.stdout, indent=2, cls=JSONEncoder)
     sys.stdout.write('\n')
 
