search

OmniLayer / omniwallet

Omni Protocol Hybrid Web-Wallet
https://www.omniwallet.org
GNU Affero General Public License v3.0
327 stars 185 forks source link

Password Requirement Redesign #606

Open achamely opened 10 years ago

achamely commented 10 years ago

Combined from #234, #227

  1. Adding characters to a strong password should not reduce its strength. Ex. Make a strong password, add some characters/digits of the same kind (AAAAAA) > password strength is going down.

  2. Evaluating the strength of the password A. We need to do some back-on-the-envelope calculation here to make sure our encryption system is solid. We can always upgrade it to use a slower encryption method (e.g. two round of AES256 instead of one) if we want ... but we need to understand where we are at first (this should be added to the https://github.com/mastercoin-MSC/omniwallet/blob/master/design/login.md). Note that 1 is required to be able to confidently launch - but we just need an estimate, not an exact calculation.

    B. Phase two - add this calculation to the password creation UI, so the user sees this and can choose accordingly.

Recommended plan of attack: Rework the password checking/strength library/setup all together.

  1. Remove the 'limitation' on the 70% and turn it into a recommendation/warning instead.
  2. Check/get a better library that doesn't succumb to the complexity drop with added characters (maybe something like http://www.codeproject.com/Articles/19245/Google-Password-Strength-API)
  3. Minimum password length can be 6 characters in length but the content of the password should not preclude its use
achamely commented 10 years ago

from shannon on 234: Noteworthy calculation here: https://www.grc.com/haystack.htm but this link is purely a brute force exhaustive password attempt calculation. It doesn't take into account other encryption attacks

dexX7 commented 10 years ago

In this context I'd like to give this issue a push: #895 Registration: it's scary and password requirements are arbitrary

The "password strength indicator" is indeed one of the things that might be improved in this context in my opinion. If I'm not mistaken, then the following library is used: https://github.com/Venturocket/angular-password-strength/blob/master/src/service.js

The rule set seems to be pretty much arbitrary - or let's rather say "incomplete".

http://www.codeproject.com/Articles/19245/Google-Password-Strength-API ... looks much better (also from an UI perspective!), but please avoid sending passwords to an external rating server as suggested in the article.

There was some work done in the field by NIST which wasn't fruitful, but still provides a solid basis which might be build upon: http://en.wikipedia.org/wiki/Password_strength#NIST_Special_Publication_800-63

As a side note: I don't think super heavy password policies are required at all, because there is already the wallet identifier which sort of acts as a "password" on it's own - at least from an user's POV.

dexX7 commented 10 years ago

I paintshopped the color of "weak" from red to orange, but this is how it looks like when registering a Google account - very awesome imho:

pwstrength

I'm liberal regarding those things and instead of "requiring" certain password strength, I'd rather warn and ask for confirmation, but hell, if one wants to use a three character password, let them. ;)

ripper234 commented 10 years ago

We may want to link to this article from the password dialog.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html