Sbozzolo
commented
7 years ago What do you mean? What is checkpwd supposed to do exactly?
Open LamaKing opened 7 years ago
Sbozzolo
commented
7 years ago What do you mean? What is checkpwd supposed to do exactly?
LamaKing
commented
7 years ago Checkpwd.py is the script in andreatsh's branch that checks the strength of the pw inserted by users. As for now, it strips the first and last characters and looks for 3 classes: capitol letters, lowercase and one between a number and a non-aphenumeric character.
As I said, I think it should also verify that none of the user details have been used to create the password, e.g. name, login and so on.
Sbozzolo
commented
7 years ago If we want something very though we could use zxcvbn. This is the package Dropbox uses. It's reliable, high-customizable, and provides indications on how the user can improve his password if requirements are not met.
The usage is really simple, it suffices calling zxcvbn('JohnSmith123', user_inputs=['John', 'Smith']) to get a score from 0 to 4, if the score is less than 3 the password is weak.
The drawback is that it adds another dependency we might not want, but I think it's worth checking out since it's a nice and well-made project.
What is the policy we want to apply, i.e. how to implement checkpwd.py?
Beside what AndreaTsh has already done, I think that we should at least look for exact matches of name, surname and login, as it is in the current version of userconf.