Add password entropy requirements

bluesky-social / social-app

The Bluesky Social application for Web, iOS, and Android

https://bsky.app

MIT License

7.4k stars 979 forks source link

Add password entropy requirements #2727

Open pfrazee opened 6 months ago

pfrazee commented 6 months ago

The account creation flow needs to measure the entropy in a password and disallow overly simple passwords.

mary-ext commented 6 months ago

The most common library for this is zxcvbn by Dropbox, and there's an official JS port for it as well. It seems like it's very large though, at 388.3 kB minzipped, so perhaps it might be best to lazily-load this?

Looking around, there's an alternative implementation named zxcvbn-ts and that might also be worth taking a look.

zxcvbn-ts seems to have the languages separate, it's 9 kB minzipped for the core library, and 225.9 kB + 551.9 kB for the common + English language set

surfdude29 commented 6 months ago

Looking around, there's an alternative implementation named zxcvbn-ts and that might also be worth taking a look.

Also, this comment details some key changes between zxcvbn and zxcvbn-ts.

And this is the demo page.

mary-ext commented 6 months ago

There's a simpler check if we skip dictionaries and assume that the user only makes use of the 93 characters that's on their keyboard, log2(93 ** length)

surfdude29 commented 6 months ago

Sorry for going a little off-topic: the serious data leakage incident at Spoutible which has been detailed today is a good reminder of how important it is to encourage users to create strong passwords when they sign up:

Troy Hunt: How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

deviantsemicolon commented 6 months ago

https://xkcd.com/936