search

dropbox / zxcvbn

Low-Budget Password Strength Estimation
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
MIT License
15.08k stars 942 forks source link

JS package being marked as adult content #239

Open SDRACK opened 5 years ago

SDRACK commented 5 years ago

Hi all,

We've had an issue where Bitdefender is blocking the zxcvbn JS libarary -- categorising it as pornography -- presumably due to the number of adult-themed passwords included.

Seems to occur only on Windows.

A way of overcoming this would be great - perhaps an option of taking a url to retrieve the data via AJAX after initialising, reversing the stored words or similar.

Any feedback or advice greatly appreciated. Thanks in advance.

xtrasimplicity commented 5 years ago

From memory, there have been a few requests in the past for the ability to retrieve the dictionary on-demand via AJAX. I can't remember exactly what the outcome was, but it might be worth a quick look through the previous (closed?) issues and PRs?

On Fri., 26 Oct. 2018, 04:03 Steve Rackham, notifications@github.com wrote:

Hi all,

We've had an issue where Bitdefender is blocking the zxcvbn JS libarary -- categorising it as pornography -- presumably due to the number of adult-themed passwords included.

Seems to occur only on Windows.

A way of overcoming this would be great - perhaps an option of taking a url to retrieve the data via AJAX after initialising, reversing the stored words or similar.

Any feedback or advice greatly appreciated. Thanks in advance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dropbox/zxcvbn/issues/239, or mute the thread https://github.com/notifications/unsubscribe-auth/AI4pzQM7zKsuF7ELDdsXcLg4mOo_uhZQks5uoe70gaJpZM4X6tsS .

SDRACK commented 5 years ago

Thanks @xtrasimplicity - I've turned up this thread, though that's all I've been able to find.

I agree with the first response there, in that we'd rather avoid sending the password to the server for evaluation.

I think, rather, we'd prefer to retrieve the top 10k list via AJAX as the library loads (although I'm not sure if this would cause a similar issue). If this were still an issue, a second option taking a function to transform the data as it arrives would likely overcome this.

Hypothetically, something like the following:

zxcvbn('Tr0ub4dour&3', user_inputs=['testing'], { source: '/path/to/source', transformation: (data) => { return data.split("").reverse().join("") } })

I'm no expert with Javascript, so please consider the above completely hypothetical. However, any suggestions or advice about such an implementation (or completely different ideas on overcoming the adult content warning) are greatly appreciated.

Additionally, I'll look at plugging this into our code, and if we turn up anything that looks useful, will submit a PR for your review.

tracker1 commented 5 years ago

And this is EXACTLY why I hate language filters of any kind... it will NEVER result in what the intent is (making people be nice).