search

dropbox / zxcvbn

Low-Budget Password Strength Estimation
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
MIT License
15.08k stars 942 forks source link

Blocked by corporate firewall? #305

Open BenThomasFOD opened 3 years ago

BenThomasFOD commented 3 years ago

We implemented zxcvbn on our site (great work! Thanks!) but have had a couple of reports of it "not working" for some users, the zxcvbn script never loaded on their browser (using modern browsers like the latest version of Chrome for example).

It appears it's being blocked by corporate firewalls in some cases (assuming because of the swearwords and NSFW words in the dictionary list).

Has anyone else had this problem and are there any potential workarounds?

BradKML commented 3 years ago

CDN? archive.fo? not really the problem of ZXCVBN.

BenThomasFOD commented 3 years ago

We're not using a CDN currently, we're just loading it directly from our site. So all the other JS on the site is being loaded, but zxcvbn is being blocked (I assume) due to the NSFW words when the firewall "scans" the file / request being loaded. I'm not really saying it's an "issue" with zxcvbn because it's just how it works, it needs those words in there to be useful, but wondered if anyone had any elegant solutions to more gracefully handle it.

Or just throwing ideas out there, would it work having a separate shorter list of words which would potentially be blocked by firewalls handled differently, not stored in plaintext to be easily blocked by firewalls or something but encrypted in some way.

Just interested to see how many other people are affected by this too - feels like it can't just be us so if there's loads I'd maybe have a look in my spare time to see if I can think of a solution.

BradKML commented 3 years ago

Save the repo in a ZIP file and send it as an email through the firewall? If ZXCVBN has to work correctly, the curse words have to be included.

BenThomasFOD commented 3 years ago

Oh.. no these are just users of our public website who are having problems. zxcvbn is already on the site and used successfully by hundreds / thousands of users successfully. We just have a "few" which get problems if they're accessing our website (well, setting their password) while they are behind a corporate firewall.

Would need to test the performance impact, but I assume encrypting those curse words would be enough to get it through the firewall and downloaded onto the users browser, then it could be decrypt that list of words to use as it does now. Using some really light encryption algorithm to keep performance impact to a minimum.

BradKML commented 3 years ago

Perhaps add an exception to the corporate firewall? I am not a network engineer but that is the keyword you are looking for. "Firewall Whitelist" "FIrewall Exception"

BenThomasFOD commented 3 years ago

As I said, it's a "public" website. We're not in control of their networks :) we can't track down and contact random users to tell them to unblock specific js scripts on our website unless they contact us and say "hey, your site is broken", and then we can reply, "no it's not, your firewall is being too strict"

But how many of those users just never mention the issue and go elsewhere? :)

Just trying to come up with potential solutions or at least start a discussion which might help everyone who uses this (assuming we're not some special case and the only people having this problem).

BradKML commented 3 years ago

I would like to seriously ask, does the firewall lay on the server-side, or the corporate user side? Other than using a ZIP file as data obfuscation, try encryption, as most firewall can't block jumbled texts.

TBH this repo is only used to host the maths/statistic algorithm, and NOT for any type of deployment. all deployment has to be dealt with elsewhere.

BenThomasFOD commented 3 years ago

The firewall is between the random user using our website, and the internet (ie on their corporate network)

MrWook commented 3 years ago

Someone had a similiar problem https://github.com/dropbox/zxcvbn/issues/239

I don't wanna make advertising but you could use https://github.com/zxcvbn-ts/zxcvbn where you load the dictionary afterward. With it the core library to identify the strength of a password is always loaded and only the dictionary itself can be blocked.

You could then load the dictionaries on the server, remove words that could be blocked and serve the new dictionary by yourself. On the other hand you could encrypt only the dictionaries on the server, load them into the frontend, decrypt the dictionaries and load them into zxcvbn. The downside of the encryption is that it would probably take a while to decrypt.

BenThomasFOD commented 3 years ago

Thanks, I've had a couple of good suggestions on StackOverflow which I'm going to try when I get time. Some of which are really simple but may just work :)

https://stackoverflow.com/questions/67604985/javascript-file-blocked-by-a-corporate-firewall/

I particularly like the simplicity of this example, will be great if it actually gets around it! But we'll see..

var frequency_lists;frequency_lists=
{passwords:"123456,password,eatsh" + "it,goodluck,starcraft"}
mkopinsky commented 3 years ago

One option to consider which may do the trick depending on your user base: When reports a problem, have a standard email saying something like, "This is a firewall thing, Please recommend to your IT people that they whitelist $URL. In the meantime, you can visit oursite.com/reset-password?zxcvbn=false to reset your password if you promise to set it to something secure (since that URL doesn't enforce password strength)".

Or even perhaps

if (!window.zxcvbn) {
  window.alert('Seems like firewall is blocking.... Please append ?zxcvbn=false to the URL to get around your company's silly firewall rules');
}