search

trichards57 / zxcvbn-cs

C#/.NET port of Dan Wheeler/DropBox's Zxcvbn JS password strength estimation library
MIT License
59 stars 19 forks source link

Need to implement warnings and suggestions #3

Closed trichards57 closed 3 years ago

trichards57 commented 6 years ago

One of the forks of this repo implements the warnings and suggestions from zxcvbn. This function needs pulling across.

Unfortunately I can't do a straight pull, as the refactoring I've just done breaks the merge, but the actual implementation should be manageable.

01binary commented 6 years ago

Thank you! We are looking forward to this. The pull request you would be porting over is (for posterity):

https://github.com/mickford/zxcvbn-cs/pull/7

trichards57 commented 6 years ago

Fair warning, I had underestimated quite how far the javascript library has moved on since the last update, so this may take a little longer than I'd like.

01binary commented 6 years ago

If you have any estimate for completion of the above milestone (i.e. in weeks, months or quarters) that would be most helpful.

trichards57 commented 6 years ago

I'll have a think about this when I get a bit more time to look at it properly.

Is this the main feature you're interested in?

01binary commented 6 years ago

We are also looking into using zxcvbn directly from JavaScript, as we have a choice of deploying .NET apps or Node.js apps - however, we have some legacy C# infrastructure which will then have to call into Node.js using an HTTP client. Tracing errors when something fails is a challenge with that setup.

We already have UI built years ago that uses Zxcvbn score and warnings by displaying them to the user, so we can't use an implementation that doesn't provide this output, or we would have to choose another C# library from scratch and rebuild everything.

Our security team would also have to review switching from latest zxcvbn to a C# port, since most ports are 2 years out of date and missing important security patches. The changes would probably be rejected since missing patches will degrade our security.

Since I know we are moving to ASP.NET Core, it seems like investing in maintenance of an open-source library (so we have a C# zxcvbn implementation) would be smarter than rebuilding parts of a legacy system that will be shut down in a few years to use another password score library.

01binary commented 6 years ago

Decided to go with Zxcvbn node.js endpoint for now, and possibly use this package when we convert our backend to ASP.NET Core 2.x.

trichards57 commented 3 years ago

Should be fixed by #22