search

mozilla / api.webmaker.org

Services for Webmaker
https://api.webmaker.org
17 stars 14 forks source link

Consider using password strength test instead of specific rules #178

Open k88hudson opened 9 years ago

k88hudson commented 9 years ago

I was looking around validation stuff the other day and found https://github.com/dropbox/zxcvbn, which uses a bunch of rules that get converted into a generic indicator of password strength rather than a single rule set. The output looks like this:

result.entropy            # bits

result.crack_time         # estimation of actual crack time, in seconds.

result.crack_time_display # same crack time, as a friendlier string:
                          # "instant", "6 minutes", "centuries", etc.

result.score              # [0,1,2,3,4] if crack time is less than
                          # [10**2, 10**4, 10**6, 10**8, Infinity].
                          # (useful for implementing a strength bar.)

result.match_sequence     # the list of patterns that zxcvbn based the
                          # entropy calculation on.

result.calc_time          # how long it took zxcvbn to calculate an answer,
                          # in milliseconds.

and appears to users like this:

image

It seems like this would be a better user experience for helping people create strong passwords, what do you think?

More info here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

jbuck commented 9 years ago

Yesssssss, this is so much better.

matthewsot commented 9 years ago

This would definitely solve the problem I was describing in that issue!

I've thrown together what I think is a working version of it at matthewsot/id.webmaker.org (see https://github.com/matthewsot/id.webmaker.org/commit/62aeb4614add43aaac38b4a9dc9dd60739704046) though I have close to zero experience with React/Node and am not able to test whether it actually works (it shows the strength meter, but I don't have the other parts set up to test if it will let you sign up with the validated password).

I'd really love to see this get implemented in Webmaker, as the current password requirements (IMO) are still far too stringent for a classroom environment. Any idea how much more work it would take to get this (or a similar solution) to the point where it can be used for Webmaker?

jbuck commented 9 years ago

@matthewsot Awesome! Could you submit that as a PR so we can review it?

k88hudson commented 9 years ago

Awesome @matthewsot !!

matthewsot commented 9 years ago

@jbuck - definitely, submitted: https://github.com/mozilla/id.webmaker.org/pull/388 :)