Evaluate password strength requirements

[xmatthewx]

It took me 15 minutes to set a password with enough entropy to satisfy Webmaker. It seems like 14 characters with a mix of uppercase, lowercase, numbers and a weird symbol or two should be enough for the accounts we are trying to protect. I knew what was happening but still wondered if the validation was broken.

Can we dial this back a little bit? I worry that we will lose potential users on Android.

cc @secretrobotron @simonwex

[thisandagain]

I'm seeing this as a regular frustration with users as well. I suggest we add promote this to launch blocker. Propose replacing rules with:

• Minimum password length: 6 characters
• Maximum password length: 256 characters

Remove all other constraints. If we want to protect users we should do it through throttling API requests and monitoring not by throwing up UX hurdles to the point where users end up writing passwords down on sticky notes. For those interested, there is a password management user research brown bag on Thursday that will address some of this. /cc @simonwex

[simonwex]

Totally agree with @thisandagain. The only thing that a more complicated password system does is make people write them down on post-its for others to see.

[ashleygwilliams]

:+1: i also agree.

the best thing i've found is making the suggestion that passphrases are very safe. sentences are easier to remember than garbage characters and numbers, capital or not- they are also way safer. people don't even consider it an option unless you mention it.

https://xkcd.com/936/

[cadecairos]

Minimum password length: 6 characters

I disagree, minimum should be 8, and even then that is considered weak (https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length)

If we're to remove other limitations we need at least two patches:

1. login.webmaker.org, to remove serverside strength checks
2. id.webmaker.org to remove server and client side strength

We can go even further and update webmaker-login-ux and any apps using it for login.

We should actively be encouraging passphrases if we're not enforcing other rules. I would also prefer if we continued disallowing the 10k most commonly used passwords

[xmatthewx]

If someone uses a common password, let's tell them and teach them (if we aren't already). Error : "That is a very common password and easy to guess. Try something else."

[cadecairos]

I had a chat with Cory Shields in IT about Mozilla's LDAP passphrase setup. They use a library called passwdqc, which just so happens to have been ported to node. it provides strength checks for all types of passwords: 1 character class (i.e. only lower case) up to 4 character classes, as well as passphrases.

It sounds like I should add that as a dependency in https://github.com/cadecairos/passtest and use it for all but the 10k common password check.

[ashleygwilliams]

:+1: i really like the passphrase setup for Mozilla's LDAP. :100: :heart:

[cadecairos]

Alright, I've got the solution for this, and it's owasp-password-strength-test and PassTest.

I've updated passtest to use owasp-password-strength-test internally, and extend a test onto the utility to blacklist the 10k most common passwords.

I'm going to suggest the following configuration:

• Minimum length of 8
• Maximum length of 256
• must pass at least 2 optional tests (at least two character classes)
• must not be on common password list
• cannot repeat characters 3 or more times
• If length > 20 consider it a passphrase and don't worry if it would fail any optional tests.

[thisandagain]

Alright ... my final proposal: :stuck_out_tongue_winking_eye:

• Minimum length of 8
• Maximum length of 256
• Must not be on common password list
• Must include at least one letter and one number (case insensitive)

Encouraging good behavior should be left up to the interface.

[cadecairos]

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Password_Complexity

Final offer, lol

[thisandagain]

:boom: LOL. :+1:

Updated above.

[cadecairos]

with the secure coding guidelines basically giving us a minimum set of requirements, lets say that passwords must have two types of characters minumum, rather than letters and numbers. i.e. lower case and capital or lower case and special chars

[cadecairos]

I've got PR's here: https://github.com/mozilla/login.webmaker.org/pull/348 https://github.com/mozilla/id.webmaker.org/pull/319

I'm lost on how to get webpack to load a bloody js file though

[xmatthewx]

Resolved. Correct? By #348 and #319

[matthewsot]

Sorry if I'm misunderstanding the accepted fix to this, but https://id.webmaker.org/signup and https://id.mofostaging.net both still seem to require capital letters, even when using a number of different symbols, lowercase letters, and a total password length of over 8 characters (which, to my understanding, should work according to @cadecairos' link). Can anyone else confirm this is happening, or is this how it's supposed to work?

I help run a web development club at my school where we're really excited to try Thimble (great work on that, it's awesome!), and would honestly rather run the risk of someone's account getting hacked than have to deal with people resetting their passwords every single time we meet because they can't remember it (or seeing them pull out a piece of paper with their password on it for everyone around them to see). These problems get magnified when using school computers which clear all stored browser passwords upon log out and which don't provide the option of using any other password manager.

Thanks!

[xmatthewx]

Thanks @matthewsot for the input. @k88hudson proposed a new solution to evaluate strength rather than a require a specific combination: https://github.com/mozilla/api.webmaker.org/issues/178